How to report a defect in TUS?

Asmus Freytag asmusf at ix.netcom.com
Thu Jul 24 14:52:33 CDT 2025 

On 7/24/2025 11:05 AM, Karl Williamson via Unicode wrote:
> Perusing 
> https://www.unicode.org/versions/Unicode16.0.0/core-spec/chapter-3/#G54355, 
> I noticed it refers to Unicode Technical Report #36, “Unicode Security 
> Considerations.”  This TR is stabilized.  That reference should be 
> replaced with something current.
>
> I then went to the unicode.org home page to find how to report this. 
> Not seeing anything obvious in the menus, I entered in the search box
>
> report defect
>
> No relevant result came up.
>
When reporting the issue, note should be made of the actual text the 
link attempts to cite:


          3.5 Deletion of Code Points
          <https://www.unicode.org/reports/tr36/tr36-15.html#Deletion_of_Noncharacters>


    In some versions prior to Unicode 5.2, conformance clause C7 allowed
    the deletion of noncharacter code points:

        C7. When a process purports not to modify the interpretation of
        a valid coded character sequence, it shall make no change to
        that coded character sequence other than the possible
        replacement of character sequences by their canonical-equivalent
        sequences /*or the deletion of noncharacter code points*/*. * 

    Whenever a character is invisibly deleted (instead of replaced),
    such as in this older version of C7, it may cause a security
    problem. The issue is the following: A gateway might be checking for
    a sensitive sequence of characters, say "delete". If what is passed
    in is "deXlete", where X is a noncharacter, the gateway lets it
    through: the sequence "deXlete" may be in and of itself harmless.
    However, suppose that later on, past the gateway, an internal
    process invisibly deletes the X. In that case, the sensitive
    sequence of characters is formed, and can lead to a security breach.

    The following is an example of how this can be used for malicious
    purposes.

    <a href=“java*\uFEFF*script:alert("XSS")>


In the landing page for the stabilized TR, it says "Some material may 
still be useful, and may be extracted in the future for use in other 
specifications."  The task here cannot simply be to to delete the link, 
but to move the affected text into the core spec (or some other 
document). A defect report would be more useful if it contained a 
suggestion to that effect.

A./

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://corp.unicode.org/pipermail/unicode/attachments/20250724/10813b57/attachment.htm>

More information about the Unicode mailing list