From 263eb4732fc6268f9fb35cffb634903ea8e2a26b Mon Sep 17 00:00:00 2001
From: Junegunn Choi <junegunn.c@gmail.com>
Date: Tue, 5 May 2026 09:56:59 +0900
Subject: [PATCH] Strip UTF-8-encoded C1 control characters from rendered items

The display sanitizer already stripped raw 8-bit C1 bytes (0x80-0x9F)
because they decode to RuneError as standalone bytes. Their valid UTF-8
encodings (0xC2 0x80 .. 0xC2 0x9F) decode to the same code points but
were passed through, allowing a filename or input line containing CSI
(U+009B), OSC (U+009D), or DCS (U+0090) to inject terminal control
sequences when rendered.
---
 src/tui/light.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/tui/light.go b/src/tui/light.go
index d0f02c99..eb4445b1 100644
--- a/src/tui/light.go
+++ b/src/tui/light.go
@@ -67,7 +67,8 @@ func (r *LightRenderer) stderrInternal(str string, allowNLCR bool, resetCode str
 	for len(bytes) > 0 {
 		r, sz := utf8.DecodeRune(bytes)
 		nlcr := r == '\n' || r == '\r'
-		if r >= 32 || r == '\x1b' || nlcr {
+		isC1 := r >= 0x80 && r <= 0x9F
+		if (r >= 32 && !isC1) || r == '\x1b' || nlcr {
 			if nlcr && !allowNLCR {
 				if r == '\r' {
 					runes = append(runes, []rune(CR+resetCode)...)