Directionality controls for malicious code

Eli Zaretskii eliz at
Thu Dec 2 02:24:23 CST 2021

> Date: Thu, 2 Dec 2021 00:24:37 -0700
> From: Doug Ewell via Unicode <unicode at>
> Martin J. Dürst wrote:
> > There are many other tools involved, in particular editors. There are
> > probably way less serious editors than programming languages. Editors
> > can clearly show problematic characters, so that users can decide
> > whether they are dangerous or necessary (or both).
> Given the publicity surrounding the "Trojan Source" paper, I'd be surprised if someone weren't already working on a Visual Studio Code extension that flags bidi controls in the editor window. It might already be available, for all I know.

Why are you thinking about the proprietary VS and not about Emacs? ;-)

> Going into a panic and writing this into programming language specifications is what doesn't need to happen.

Blindly showing these controls wherever they are should not happen,
either, because most of their uses are not malicious.  The tests must
be smarter than just looking at the codepoint, they should also look
at the surrounding text and examine the effect of those directional
controls on that text.

More information about the Unicode mailing list