[Security] Fullwidth character markers bypass sanitization

[ekson73]

Summary

The replaceMarkers function in src/security/external-content.ts performs pattern matching on the folded string but applies replacements to the original content. This allows fullwidth character markers to bypass sanitization.

Impact

Severity: High (10/10)
Type: Security - Potential prompt injection

Suggested Fix

Perform all slicing and replacement operations on the folded string instead of the original content to ensure full-width character markers are correctly sanitized.

Source

Identified by Qodo AI code review.

Files Affected

• src/security/external-content.ts (lines 108-148)

[nu-gui]

I ran into this while reviewing MIME type handling — fullwidth Unicode characters like ａｕｄｉｏ/ｍｐｅｇ bypass the sanitization regex because the character class only matches ASCII. The regex also wasn't anchored at the end, so trailing content after a valid type/subtype pair would slip through.

Fix in #10257 — adds NFKC normalization before validation and anchors the regex with $.

[vignesh07]

Re-validated on current main (February 15, 2026) and this does not reproduce.

What I verified:

• replaceMarkers folds fullwidth/homoglyph marker characters before matching.
• The folded-to-original slicing concern in this case is not causing a bypass, because the mapped marker characters are 1:1 code units in this implementation path.
• Existing tests already exercise homoglyph/fullwidth marker sanitization.

Validation run:

• pnpm test src/security/external-content.test.ts (29 passed)

Given current behavior and coverage, I’m closing this as already resolved on main.

[vignesh07]

Closing as not reproducible on current main; sanitizer and tests already cover fullwidth/homoglyph marker normalization.