pwneglyph logo

Note

web javascript unicode case-folding execcommand xss blacklist-bypass

Use locale-sensitive case folding (Turkish dotted I) so a lowercased command-name blacklist misses insertHTML.

Turkish Unicode Bypass on execCommand("insertHTML")

Unicode case folding is not always the developer's mental model. Characters like the Turkish dotted I interact with toLowerCase() and command comparisons in surprising ways.

Why It Works

  • The defense lowercases the command name before comparing it; a confusable character survives folding while the browser still accepts the command.

Vulnerable Pattern

  • Blacklists/allowlists implemented by lowercasing command names before comparing against dangerous editor commands.

Exploit Flow

  1. Identify which normalization the defense applies vs. which the browser's command parser applies.
  2. Substitute lookalike or locale-sensitive characters into the command name while keeping the browser accepting it.

Variations

  • Unicode dotted I, fullwidth letters, or other confusables depending on the check.

Common Blockers

  • Strict command equality after browser normalization, or no control over the command string.

PoC Sketch

document.execCommand("İnsertHTML", false, "<img src=x onerror=alert(1)>");

Good Situations To Use It

  • A command-name check uses toLowerCase() before comparison.
  • You control the command string.
  • The browser accepts the confusable form.

Sources

  • fcsc2026/web/10_fast_fishers