Strubbl created an issue (openstreetmap/openstreetmap-website#6522)
### URL
https://www.openstreetmap.org/node/13195677665/history/2
### How to reproduce the issue?
If you look at the value of the phone tag of this object, there are special
chars at the end after the phone number itself: `+49 163 4968034%E2%81%A9`. I
mean the `%E2%81%A9` as suffix is not part of the phone which i will call.
Also, these chars are not visible in the web view.
Shouldn't these chars be stripped of before saving the tag value to the
database? Are there any valid use cases for this kind of special chars?
Is this maybe anyhow exploitable if JS gets encoded like this? I am thinking of
the technique used with
[GlassWorm](https://www.koi.ai/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace).
Just for reference, the issue was detected with the phone report tool:
https://github.com/confusedbuffalo/phone-report/issues/92
### Screenshot(s) or anything else?
_No response_
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/6522
You are receiving this because you are subscribed to this thread.
Message ID: <openstreetmap/openstreetmap-website/issues/[email protected]>
_______________________________________________
rails-dev mailing list
[email protected]
https://lists.openstreetmap.org/listinfo/rails-dev
