iherman
commented
5 years ago @jyasskin it is not a problem leaving this in the charter.
Having said that, I am not sure what a future Working Group would do on this: RDF "just" stores/transfers literal values (whether simply unicode characters with BiDi markers in them or not, or literals with an explicit directionality if this work happens). It does not impose any kind of interpretation/check/restriction on using the value (e.g., restrictions on URL datatypes with BiDi, as described in the reference). It is up to the users of the data. In this respect, adding such restrictions would mean the same as adding restrictions on the strings stored in, e.g., JSON.
Such a review would mean reviewing the security aspect for RDF literals as a whole, including when the literal is labeled with a type (e.g., integer). For each cases, each datatypes, possibly misuse may be done. It may well be that such a general security review of RDF literals should be done (I am not familiar with any security breach related to RDF usage, though), but that would go way beyond the very restricted charter this Working Group would have...
Anyway. We can leave this to a future WG to handle of course.
The draft says,
But an attacker could set a misleading base directionality to confuse users, as sketched in http://unicode.org/reports/tr36/#Bidirectional_Text_Spoofing. So, please keep the security considerations around.