Reference unicode Security considerations

[ioggstream]

I expect

To reference Unicode security considerations https://unicode.org/reports/tr36/#Bidirectional_Text_Spoofing especially WRT Bidirectional Text Spoofing

@dret @darrelmiller @eemeli @dret do you think it's worth mentioning that?

[dret]

On 2022-07-19 00:48, Roberto Polli wrote:

To reference Unicode security considerations https://unicode.org/reports/tr36/#Bidirectional_Text_Spoofing especially WRT Bidirectional Text Spoofing @dret https://github.com/dret @darrelmiller https://github.com/darrelmiller @eemeli https://github.com/eemeli @dret https://github.com/dret do you think it's worth mentioning that?

to be honest, i am not quite sure about the reasoning here. as a general guideline for spec writing, i think it makes sense to only include things that have to be included, and not to consider things that can be included.

[ioggstream]

When making some experiments with bidirectional text in yaml files, I discovered that the text rendered can be different from the representation graph, e.g. the keys in the yaml below are the two strings 'aleph' and 'aleph-aleph'

א: 2
אא: 2

This could possible be used to smuggle content e.g. in a yaml configuration file.

This applies to unicode in general though, and not only to yaml. In some context for example, folks might want to disable right-to-left or bidirectional characters in yaml files testing for them using linters, to avoid this kind of issues.

[eemeli]

I'm with @dret here, this seems like a bit of a stretch.

[ioggstream]

Closing with no action :)