[openstreetmap/openstreetmap-website] Special whitespaces are not stripped of the value (Issue #6522)
Strubbl
notifications at github.com
Wed Nov 12 21:50:13 UTC 2025
Strubbl created an issue (openstreetmap/openstreetmap-website#6522)
### URL
https://www.openstreetmap.org/node/13195677665/history/2
### How to reproduce the issue?
If you look at the value of the phone tag of this object, there are special chars at the end after the phone number itself: `+49 163 4968034%E2%81%A9`. I mean the `%E2%81%A9` as suffix is not part of the phone which i will call. Also, these chars are not visible in the web view.
Shouldn't these chars be stripped of before saving the tag value to the database? Are there any valid use cases for this kind of special chars?
Is this maybe anyhow exploitable if JS gets encoded like this? I am thinking of the technique used with [GlassWorm](https://www.koi.ai/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace).
Just for reference, the issue was detected with the phone report tool: https://github.com/confusedbuffalo/phone-report/issues/92
### Screenshot(s) or anything else?
_No response_
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/6522
You are receiving this because you are subscribed to this thread.
Message ID: <openstreetmap/openstreetmap-website/issues/6522 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20251112/04dec797/attachment.htm>
More information about the rails-dev
mailing list