|
| 1 | +# DRAFT Appendices |
| 2 | + |
| 3 | +## Security Considerations |
| 4 | + |
| 5 | +MessageFormat 2.0 _patterns_ are meant to allow a _message_ to include any string value |
| 6 | +which users might normally wish to use in their environment. |
| 7 | +Programming languages and other environments vary in what characters are permitted |
| 8 | +to appear in a valid string. |
| 9 | +In many cases, certain types of characters, such as invisible control characters, |
| 10 | +require escaping by these host formats. |
| 11 | +In other cases, strings are not permitted to contain certain characters at all. |
| 12 | +Since _messages_ are subject to the restrictions and limitations of their |
| 13 | +host environments, their serializations and resource formats, |
| 14 | +that might be sufficient to prevent most problems. |
| 15 | +However, MessageFormat itself does not supply such a restriction. |
| 16 | + |
| 17 | +MessageFormat _messages_ permit nearly all Unicode code points, |
| 18 | +with the exception of surrogates, |
| 19 | +to appear in _literals_, including the text portions of a _pattern_. |
| 20 | +This means that it can be possible for a _message_ to contain invisible characters |
| 21 | +(such as bidirectional controls, |
| 22 | +ASCII control characters in the range U+0000 to U+001F, |
| 23 | +or characters that might be interpreted as escapes or syntax in the host format) |
| 24 | +that abnormally affect the display of the _message_ |
| 25 | +when viewed as source code, or in resource formats or translation tools, |
| 26 | +but do not generate errors from MessageFormat parsers or processing APIs. |
| 27 | + |
| 28 | +Bidirectional text containing right-to-left characters (such as used for Arabic or Hebrew) |
| 29 | +also poses a potential source of confusion for users. |
| 30 | +Since MessageFormat 2.0's syntax makes use of |
| 31 | +keywords and symbols that are left-to-right or consist of neutral characters |
| 32 | +(including characters subject to mirroring under the Unicode Bidirectional Algorithm), |
| 33 | +it is possible to create messages that, |
| 34 | +when displayed in source code, or in resource formats or translation tools, |
| 35 | +have a misleading appearance or are difficult to parse visually. |
| 36 | + |
| 37 | +For more information, see \[[UTS#55](https://unicode.org/reports/tr55/)\] |
| 38 | +<cite>Unicode Source Code Handling</cite>. |
| 39 | + |
| 40 | +MessageFormat 2.0 implementations might allow end-users to install |
| 41 | +_selectors_, _functions_, or _markup_ from third-party sources. |
| 42 | +Such functionality can be a vector for various exploits, |
| 43 | +including buffer overflow, code injection, user tracking, |
| 44 | +fingerprinting, and other types of bad behavior. |
| 45 | +Any installed code needs to be appropriately sandboxed. |
| 46 | +In addition, end-users need to be aware of the risks involved. |
0 commit comments