# pyscg-0047: Use Allow Lists Over Deny Lists Avoid Incomplete 'deny lists' that can lead to security vulnerabilities such as cross-site scripting (XSS) by using 'allow lists' instead. ## Non-Compliant Code Example The `noncompliant01.py` code demonstrates the difficult handling of exclusion lists in a multi language support use case. `UTF-8` has __1,112,064__ mappings between `8-32` bit values and printable characters such as `生` known as "code points". The `noncompliant01.py` `filterString()` method attempts to search for disallowed inputs and fails to find the `script` tag due to the non-English character `生` in ``. Failure to filter such strings could lead to Cross-Site Scripting (XSS) injection, as per [pyscg-0045: Enforce Consistent Encoding](../../02_encoding_and_strings/pyscg-0045/README.md) *[noncompliant01.py](noncompliant01.py):* ```python # SPDX-FileCopyrightText: OpenSSF project contributors # SPDX-License-Identifier: MIT """ Non-compliant Code Example """ import re import sys if sys.stdout.encoding.lower() != "utf-8": sys.stdout.reconfigure(encoding="UTF-8") def filter_string(input_string: str): """Normalize and validate untrusted string Parameters: input_string(string): String to validate """ # TODO Canonicalize (normalize) before Validating # validate, exclude dangerous tags: for tag in re.findall("<[^>]*>", input_string): if tag in ["