✨ Feature request: utility function to check if a string contains only alphanumeric characters

[PaulRBerg]

Rationale

Onchain generation of NFT SVGs is on the rise. Many SVGs rely on third-party string data, e.g. ERC-20 symbols.

To sanitize strings and prevent XSS attacks, developers should only allow alphanumeric strings in the token symbol¹. This should be enough, since the vast majority of tokens don't contain any special symbols.

It would thus be helpful to have a utility function in Solady for checking whether a string contains only alphanumeric characters.

Example Implementation

/// @notice Checks whether the provided string contains only alphanumeric characters and spaces.
/// @dev Note that this returns true for empty strings, but it is not a security concern.
function isAlphanumeric(string memory str) internal pure returns (bool) {
    // Convert the string to bytes to iterate over its characters.
    bytes memory b = bytes(str);

    uint256 length = b.length;
    for (uint256 i = 0; i < length; ++i) {
        bytes1 char = b[i];

        // Check if it's a space or an alphanumeric character.
        bool isSpace = char == 0x20; // space
        bool isDigit = char >= 0x30 && char <= 0x39; // 0-9
        bool isUppercase = char >= 0x41 && char <= 0x5A; // A-Z
        bool isLowercase = char >= 0x61 && char <= 0x7A; // a-z
        if (!(isSpace || isDigit || isUppercase || isLowercase)) {
            return false;
        }
    }
    return true;
}

Footnotes

1. See, for example, finding M-01 in Sablier's recent audit contest on CodeHawks. ↩

[PaulRBerg]

Alternatively, a utility function to check if a single character is alphanumeric would also be helpful:

function isAlphanumericChar(bytes1 char) internal pure returns (bool) {
    bool isSpace = char == SPACE;
    bool isDigit = char >= ZERO && char <= NINE;
    bool isUppercaseLetter = char >= A && char <= Z;
    bool isLowercaseLetter = char >= a && char <= z;
    return isSpace || isDigit || isUppercaseLetter || isLowercaseLetter;
}

[Vectorized]

Good feature request. Will add, thanks.

[atarpara]

@PaulRBerg your request is fulfilled check it out.

[0xCLARITY]

Personally, I think it's quite surprising that isAlphanumeric would return "true" for spaces - that seems quite counterintuitive.

Other examples I can find of is_alphanumeric don't do that:

• Rust's is_ascii_alphanumeric
• Govalidator's alphanumeric

Maybe it would be better to have 2 functions? isAlphanumeric() and isAlphanumericWithSpaces()?

Other Characters

If we are going to special case "spaces", I can also think of other characters that might deserve the same treatment.

Right now, I'm writing a contract that requires strings be alphanumeric, or _ underscores, or - hyphens, since those are commonly considered valid characters for URL slugs. Right now, I have something like this:

    function _validateUrlSafe(string calldata urlSlug) internal pure {
        // Check that the slug is no more than 16 bytes (which will be 16 characters assuming ASCII).
        uint256 length = bytes(urlSlug).length;
        if (length > 16) revert TooLong();

        // Check all characters are alphanumeric or hyphen/underscore.
        for (uint256 i = 0; i < length; i++) {
            bytes1 charCode = bytes(urlSlug)[i];

            // a-z, A-Z, hyphen, underscore
            if (
                (charCode > 0x60 && charCode < 0x7B) // a-z
                    || (charCode > 0x40 && charCode < 0x5B) // A-Z
                    || (charCode == 0x2D) // hyphen (-)
                    || (charCode == 0x5F) // underscore (_)
            ) continue;

            // numbers (0-9)
            if (charCode > 0x2F && charCode < 0x3A) continue;

            revert InvalidChar();
        }
    }

[Vectorized]

Btw, there is also a LibString.escapeHTML(s).