"CVE" 2021-42694 does not affect code at all. It affects the systems human beings use to review code and proposed code changes - that is, fancy text editors/IDEs, GitHub pull request and code review workflows, etc. This is a consequence of blindly applying UTR #9 to the entire body of code/patch as a single context, rather than "resolving embedding levels" in an application-specific (in this context, programming-language-specific) manner so that embedding/override controls are not allowed to exert formatting influence across different contexts (comment blocks, quoted strings, etc.) or just not honoring embedding/override control characters at all.
↧
