Comment by estebank

Comment by estebank 13 hours ago

3 replies

View on Hacker News

The security concerns are those of "Trojan source", where the displayed text doesn't correspond to the bytes on the wire.[1]

I don't think a wire protocol should necessarily restrict them, for the sake of compatibility with existing text corpus out there, but a fair observation.

1: https://trojansource.codes/

yencabulator 12 hours ago

The enforcement is an app-level issue, depending on the semantics of the field. I agree it doesn't belong in the low-level transport protocol.

The rules for "username", "display name", "biography", "email address", "email body" and "contents of uploaded file with name foo.txt" are not all going to be the same.

Reply View 2 replies
  • Waterluvian 11 hours ago

    Can a regular expression be used to restrict Unicode chars like the ones described?

    I’m imagining a listing of regex rules for the various gotchas, and then a validation-level use that unions the ones you want.

    Reply View 1 reply
    • fluoridation 4 hours ago

      Why would you need a regular expression for that? It's just a list of characters.

      Reply View 0 replies