On 13-10-22 10:04 PM, GD dev wrote: > Hi All, > > Please correct me if I am wrong. My understanding is that harfbuzz internally > does font sanitization to rule out malicious fonts.
Correct. It does just enough to make sure other harfbuzz routines can run correctly on the font. > Now, we have platform libs that would use harfbuzz but some might decide to do > their own shaping, in which case, could they use harfbuzz just for font > sanitization. I don't mind exporting API for the sanitization part, but then again, we make no guarantee that our sanitization suites any other piece of code's requirements. It's really just about what our own code is happy about. > Also, how does harfbuzz' font sanitization support compare to > the one provided by "Sanitiser for OpenType" library from Chromium > (https://code.google.com/p/ots/wiki/DesignDoc). Not really. We don't adhere to any standards. We just clean up the tables enough to be sure that nothing bad happens when *our* code is run on the font. -- behdad http://behdad.org/ _______________________________________________ HarfBuzz mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/harfbuzz
