Directionality controls for malicious code

Karl Williamson public at
Tue Nov 30 12:38:48 CST 2021

It is possible to make text appear to be other than what it really is by 
using BiDi controls.

Such text may be be in the form of computer code, which could allow a 
trojan horse attack by sneaking stuff past human code reviewers.

I have not studied the BiDi algorithm, so this may be naive.

Is there any legitimate use of BiDi controls in text that doesn't have a 
mixture of LtoR and RtoL strings?

If not, and since there are relatively few scripts of RtoL characters, 
is there any legitimate use of BiDi controls outside of script runs of 
those scripts.

If not, then could the Bidi control characters be made to have their scx 
property value be all the RtoL scripts, and software such as git could 
warn or forbid text of mixed scripts?

Or could a new property be created that allowed for machine detection of 
malicious use?

Karl Williamson

More information about the Unicode mailing list