On 7/24/2025 11:05 AM, Karl Williamson via Unicode wrote:
Perusing
https://www.unicode.org/versions/Unicode16.0.0/core-spec/chapter-3/#G54355,
I noticed it refers to Unicode Technical Report #36, “Unicode Security
Considerations.” This TR is stabilized. That reference should be
replaced with something current.
I then went to the unicode.org home page to find how to report this.
Not seeing anything obvious in the menus, I entered in the search box
report defect
No relevant result came up.
When reporting the issue, note should be made of the actual text the
link attempts to cite:
3.5 Deletion of Code Points
<https://www.unicode.org/reports/tr36/tr36-15.html#Deletion_of_Noncharacters>
In some versions prior to Unicode 5.2, conformance clause C7 allowed
the deletion of noncharacter code points:
C7. When a process purports not to modify the interpretation of
a valid coded character sequence, it shall make no change to
that coded character sequence other than the possible
replacement of character sequences by their canonical-equivalent
sequences /*or the deletion of noncharacter code points*/*. *
Whenever a character is invisibly deleted (instead of replaced),
such as in this older version of C7, it may cause a security
problem. The issue is the following: A gateway might be checking for
a sensitive sequence of characters, say "delete". If what is passed
in is "deXlete", where X is a noncharacter, the gateway lets it
through: the sequence "deXlete" may be in and of itself harmless.
However, suppose that later on, past the gateway, an internal
process invisibly deletes the X. In that case, the sensitive
sequence of characters is formed, and can lead to a security breach.
The following is an example of how this can be used for malicious
purposes.
<a href=“java*\uFEFF*script:alert("XSS")>
In the landing page for the stabilized TR, it says "Some material may
still be useful, and may be extracted in the future for use in other
specifications." The task here cannot simply be to to delete the link,
but to move the affected text into the core spec (or some other
document). A defect report would be more useful if it contained a
suggestion to that effect.
A./
