- From: Richard Tobin <richard@inf.ed.ac.uk>
- Date: Tue, 26 Jun 2007 12:01:52 +0100 (BST)
- To: public-xml-core-wg@w3.org
Here is an expanded security section taking into account Martin's comments. Human Readable Resource Identifiers have the same security considerations as IRIs, see Section 8 of [3]. Additional risks resulting from the additional characters allowed in HRRIs include: - Some characters may not be permitted by the context. For example, NUL characters are not allowed XML documents. - The use of control characters and bidirectional formatting characters may allow malicious users to manipulate the displayed version of an HRRI. - Control characters and non-characters, or HRRIs containing them, may be filtered out by receivers. - Private use characters are not interoperable and may have unpredicable effects. - Whitespace characters may be subject to normalization in certain contexts. For example, line endings in XML are normalized to LF; tabs in XML attributes are converted to spaces; and sequences of spaces are collapsed in tokenized XML attributes. - Some characters may be treated as delimiters in some contexts. For example, spaces are often used to separate resource identifiers in a sequence, and angle brackets are often used to delimit resource identifiers in text. Human Readable Resource Identifers are often converted to IRIs or URIs and subsequently used to provide a compact set of instructions for access to network resources, care must be taken to properly interpret the data within a Human Readable Resource Identifier, to prevent that data from causing unintended access, and to avoid including data that should not be revealed in plain text. -- Richard
Received on Tuesday, 26 June 2007 11:01:59 UTC