A warning is now displayed when a file's contents include bidirectional Unicode text. Such text can be interpreted or compiled differently than it appears in a user interface. For example, hidden, bidirectional Unicode characters can be used to swap segments of text in a file. This can cause code to appear one way and be interpreted or compiled another way.
This security issue is the topic of a newly published Common Vulnerabilities and Exposures (CVE) publication: CVE-2021-42574. If your use of bidirectional Unicode characters is intentional and not malformed, you can ignore the warning.
To review a file for which this warning is displayed, open it in an editor that can display the hidden, bidirectional Unicode characters. Then verify that the characters are necessary and not disguising text that will be interpreted or compiled differently than it appears. To do this in the Visual Studio Code editor:
- Open the file in Visual Studio Code.
- On the status bar at the bottom-right of the application, click the file's type of encoding – usually UTF-8 as shown here:
- In the Command Palette that appears at the top of the application, select Reopen with Encoding and then DOS (CP 437).
- This will reveal the ASCII representation of hidden Unicode characters in the file, like
For more information, refer to Trojan Source: Invisible Source Code Vulnerabilities.