Hi Martin,
On 29/03/10 10:01 AM, "Martin J. Dürst" wrote:
[comments below]
On 2010/03/27 18:49, Marcos Caceres wrote:
Thanks Felix, I will update the schema. However, the BIDI spec warns,
for security reasons, to avoid the overrides so I didn't include them
into our spec. Should I put lro and rlo into the spec regardless? the
spec now contains a note about this in the dir section:
Note:
Under the guidance of the [BIDI] specification, the values that would
allow directional overrides in this specifications, namely Left-to-Right
Override (LRO) and Right-to-Left Override (RLO), have deliberately been
left out of this specification because of security concerns (see
[UTR36]). Authors wanting to override the [BIDI] algorithm can do so by
using [XML] entities and the appropriate Unicode directional markers.
Reading this note, it seems to make NO sense whatever for me to leave
out the lro/rlo values. Essentially, the Note tells you that there is a
security problem that apparently was addressed, and then it goes on to
tell you how to circumvent the solution. Or did I get something wrong?
Your reading of the note is correct. My intention with excluding
overrides was to make it slightly harder for authors (so they would not
be used by accident). The spec may benefit from advisory for user agents
- like warning end users if BDOs are used or making a visual distinction
when an override occurs (particularly if they affect URIs).
I've adapted the following from TR36 as a straw-man, please feel free to
improve:
"In the case where the BIDI algorithm has been explicitly overridden by
the author, a user agent may use coloring or icons to draw the user's
attention as a means of indicating that there may be a security risk
with the presented content; or more obvious, the user agent may display
an alert dialog describing the issue and requiring user confirmation
before continuing (particularly in cases relating to IRIs); or even more
stringent, a user agent may ignore the use the bidirectional overrides
altogether. Implementers are encouraged to refer to [UTR36] for advice
on dealing with the security risks associated with bi-directional text,
IRIs, and Unicode in general."
Kind regards,
Marcos
--
Marcos Caceres
Opera Software
