Open Bug 550166 Opened 16 years ago Updated 3 years ago

BIDI issues in IRI display need reviewing for potential security problems

Categories

(Core :: Networking, defect, P5)

defect

Tracking

()

People

(Reporter: usenet, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [necko-would-take])

Editing IRIs with mixed-direction scripts can cause counter-intuitive and potentially confusing display and editing behaviour. Although this is mentioned in terms of BIDI interactions within DNS labels in RFC 4690, section 2.2.5, I believe this needs a wider-ranging review to examine the whole space of potential problems involving mixing of directions within different IRI components.
Blocks: 316730
This topic is also touched on in section 4, "Bidirectional IRIs for Right-to-Left Languages", of RFC 3987 "Internationalized Resource Identifiers".
I skimmed over section 4 of RFC 3987, and I think that the method suggested for displaying the values in subsection 4.1 is actually not a very good one. I've always thought that using rendering the delimiter characters as though they were surrounded by a pair of LRM's is a way to show data sanely, like: http://‎آزمایش‎.‎ایران‎/مسیر‎/‎صفحه‎?‎متغیر‎=‎‎مقدار Which is the equivalent of: http://test.ir/path/page?variable=value Are there downsides to treating IRIs this way for display?
Whiteboard: necko-would-take]
Whiteboard: necko-would-take] → ]necko-would-take]
Whiteboard: ]necko-would-take] → [necko-would-take]
Priority: -- → P5
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.