From: Jonathan Rosenne (email@example.com)
Date: Wed Mar 03 2010 - 12:21:43 CST
Proper BIDI rendering of IRIs isn't a security, it is a usability problem.
It should be considered primarily in the context of full bidi - single
language - IRIs, with suitable equivalents for e.g. http and TLDs.
> -----Original Message-----
> From: firstname.lastname@example.org [mailto:email@example.com] On
> Behalf Of Shawn Steele
> Sent: Wednesday, March 03, 2010 7:13 PM
> To: Slim Amamou; Larry Masinter
> Cc: firstname.lastname@example.org; Peter Constable; (email@example.com)
> Subject: RE: BIDI IRI Display (was spoofing and IRIs)
> > An IRI is a sequence of Unicode characters. Is there not
> > already a well-defined way of converting a sequence of
> > Unicode characters to a visual display?
> The problem (from my perspective at least) is that the Unicode BIDI
> rules are somewhat "generic". Unicode expects things like / and . to
> be used in a context of same-script stuff, like a date, time or number.
> IRIs use them as delimiters for a list of elements (labels in the
> domain name or folders in the path), in a hierarchical form. The
> Unicode BIDI algorithm doesn't recognize that there's an underlying
> hierarchy, so it can end up "swapping" pieces in that hierarchy in some
> I'm not sure UTR#36 is the proper place to clarify display of such
> ordered lists. Proper BIDI rendering of IRIs isn't just a security,
> but also a usability, problem. It does seem like perhaps this concept
> should be mentioned in Unicode somewhere. (IRIs aren't the only place
> that similar ordered lists happen).
This archive was generated by hypermail 2.1.5 : Wed Mar 03 2010 - 12:24:23 CST