W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2010

Re: i18n comments:

From: Marcos Caceres <marcosc@opera.com>
Date: Mon, 29 Mar 2010 13:35:07 +0200
Message-ID: <4BB0906B.4000606@opera.com>
To: "Martin J. Dürst" <duerst@it.aoyama.ac.jp>
CC: Felix Sasaki <felix.sasaki@fh-potsdam.de>, Arthur Barstow <art.barstow@nokia.com>, Addison Phillips <addison@amazon.com>, "public-i18n-core@w3.org" <public-i18n-core@w3.org>, public-webapps <public-webapps@w3.org>, Richard Ishida <ishida@w3.org>
Hi Martin,

On 29/03/10 10:01 AM, "Martin J. Dürst" wrote:
> [comments below]
>
> On 2010/03/27 18:49, Marcos Caceres wrote:
>
>> Thanks Felix, I will update the schema. However, the BIDI spec warns,
>> for security reasons, to avoid the overrides so I didn't include them
>> into our spec. Should I put lro and rlo into the spec regardless? the
>> spec now contains a note about this in the dir section:
>>
>> Note:
>> Under the guidance of the [BIDI] specification, the values that would
>> allow directional overrides in this specifications, namely Left-to-Right
>> Override (LRO) and Right-to-Left Override (RLO), have deliberately been
>> left out of this specification because of security concerns (see
>> [UTR36]). Authors wanting to override the [BIDI] algorithm can do so by
>> using [XML] entities and the appropriate Unicode directional markers.
>
> Reading this note, it seems to make NO sense whatever for me to leave
> out the lro/rlo values. Essentially, the Note tells you that there is a
> security problem that apparently was addressed, and then it goes on to
> tell you how to circumvent the solution. Or did I get something wrong?

Your reading of the note is correct. My intention with excluding 
overrides was to make it slightly harder for authors (so they would not 
be used by accident). The spec may benefit from advisory for user agents 
- like warning end users if BDOs are used or making a visual distinction 
when an override occurs (particularly if they affect URIs).

I've adapted the following from TR36 as a straw-man, please feel free to 
improve:

"In the case where the BIDI algorithm has been explicitly overridden by 
the author, a user agent may use coloring or icons to draw the user's 
attention as a means of indicating that there may be a security risk 
with the presented content; or more obvious, the user agent may display 
an alert dialog describing the issue and requiring user confirmation 
before continuing (particularly in cases relating to IRIs); or even more 
stringent, a user agent may ignore the use the bidirectional overrides 
altogether. Implementers are encouraged to refer to [UTR36] for advice 
on dealing with the security risks associated with bi-directional text, 
IRIs, and Unicode in general."

Kind regards,
Marcos

-- 
Marcos Caceres
Opera Software
Received on Monday, 29 March 2010 11:36:01 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:37 GMT