From 0b6a05f541a9b1321f57f9fb0e6593a1abff316d Mon Sep 17 00:00:00 2001
From: Kai Chen <kaichen120@gmail.com>
Date: Sun, 31 May 2020 13:51:00 -0700
Subject: [PATCH] add section on copy/paste security

---
 docs/security.rst | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/docs/security.rst b/docs/security.rst
index 44c095ac..292590c9 100644
--- a/docs/security.rst
+++ b/docs/security.rst
@@ -258,3 +258,22 @@ certificate key to prevent MITM attacks.
    or upgrade your key incorrectly.
 
 - https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning
+
+Copy/Paste Security Issues
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If your website allows users to upload their own code, hidden characters
+such as the backspace character (``\b``, ``^H``) can cause the code to
+have a different meaning when copy and pasted into terminals.
+
+For example, ``import y\bose\bm\bi\bt\be\b`` renders as
+``import yosemite`` but becomes ``import os`` when pasted in a terminal.
+
+Consider applying extra filtering, such as replacing all ``\b``
+characters.
+
+.. code-block:: python
+
+    body = body.replace("\b", "")
+
+- https://security.stackexchange.com/q/39118