> This sounds like an issue that would be triggered in client tools that do not escape characters, not in Swift. Do you confirm ? If yes, then I agree with John that it sounds like an optional additional layer of security rather than a vulnerability in Swift.
I have to disagree here. A service cannot rely on its clients to sanitize inputs, that is the responsibility of the service itself. If a service allows any request (from any client) that causes the service to perform actions that are not part of intended operations, then it is a vulnerability in the service.
> This sounds like an issue that would be triggered in client tools that do not escape characters, not in Swift. Do you confirm ? If yes, then I agree with John that it sounds like an optional additional layer of security rather than a vulnerability in Swift.
I have to disagree here. A service cannot rely on its clients to sanitize inputs, that is the responsibility of the service itself. If a service allows any request (from any client) that causes the service to perform actions that are not part of intended operations, then it is a vulnerability in the service.