Closed ioggstream closed 2 years ago
On 2022-07-19 00:48, Roberto Polli wrote:
To reference Unicode security considerations https://unicode.org/reports/tr36/#Bidirectional_Text_Spoofing especially WRT Bidirectional Text Spoofing @dret https://github.com/dret @darrelmiller https://github.com/darrelmiller @eemeli https://github.com/eemeli @dret https://github.com/dret do you think it's worth mentioning that?
to be honest, i am not quite sure about the reasoning here. as a general guideline for spec writing, i think it makes sense to only include things that have to be included, and not to consider things that can be included.
When making some experiments with bidirectional text in yaml files, I discovered that the text rendered can be different from the representation graph, e.g. the keys in the yaml below are the two strings 'aleph' and 'aleph-aleph'
א: 2
אא: 2
This could possible be used to smuggle content e.g. in a yaml configuration file.
This applies to unicode in general though, and not only to yaml. In some context for example, folks might want to disable right-to-left or bidirectional characters in yaml files testing for them using linters, to avoid this kind of issues.
I'm with @dret here, this seems like a bit of a stretch.
Closing with no action :)
I expect
To reference Unicode security considerations https://unicode.org/reports/tr36/#Bidirectional_Text_Spoofing especially WRT Bidirectional Text Spoofing
@dret @darrelmiller @eemeli @dret do you think it's worth mentioning that?