Using locale-sensitive methods on locale-sensitive data can produce unexpected results if the no locale is specified . Programming language identifiers, protocol keys and HTML tags are often specified in a particular locale, usually Locale.ENGLISH.  It may even be possible to bypass input filters by changing the default locale, which can alter the behavior of locale-sensitive methods. For example, when a string is converted to uppercase, it may be declared valid; however, changing the string back to lower case during subsequent execution may result in a black-listed string.   
Any program which invokes local-sensitive methods on untrusted data must explicitly specify the locale to use with these methods.
| This noncompliant code example uses the locale-sensitive {{String.toUpperCase()}} method to convert an HTML tag to uppercase. While the English locale would convert "title" to "TITLE", the Turkish locale will convert "title" to "T?TLE" where '?' is the Latin capital letter 'I' with a dot above the character \[[API 2006|AA. Bibliography#API 06]\].  | 
| "title".toUpperCase(); | 
This compliant solution explicitly sets the locale to English to avoid unexpected results.
| "title".toUpperCase(Locale.ENGLISH); | 
This rule also applies to the String.equalsIgnoreCase() method.
This compliant solution sets the default locale to English before proceeding with string operations.
| Locale.setDefault( Locale.ENGLISH); "title".toUpperCase(); | 
| Rule | Severity | Likelihood | Remediation Cost | Priority | Level | 
|---|---|---|---|---|---|
| IDS16-J | medium | probable | medium | P8 | L2 | 
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
| <ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a9adb58f-bbe8-4fe6-94f7-66ec1ca6e965"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] |  Class  | ]]></ac:plain-text-body></ac:structured-macro> | 
IDS15-J. Use a subset of ASCII for file names            IDS17-J. Use compatible encodings on both sides of file or network IO