Comment 4 for bug 1750527

John and I discussed this a bit on IRC. We should not allow control characters in any of our fields that end up being displayed to the user in snapcraft.yaml and snap.yaml or from forms from the dashboard. Historically, control characters can be used in various attack scenarios on the user's terminal. I'm told that snapd is going to allow snap.yaml overrides for description and summary that are in the store.

We need 4 tasks: snapstore (input validation on forms and what it puts into description and summary), review-tools (check description and summary harder (at least)), snapcraft (check description and summary harder (at least)) and snapd (filter output from snap to screen).

Once the snap store is fixed, this bug can be made public since it closes any sort of attacks via control characters wrt malicious uploads. We can then harden the review-tools, snapcraft and snapd publicly.