This page is a compilation of formal public feedback received so far. See Feedback for further information on this issue, how to discuss it, and how to provide feedback.
Date/Time: Wed Apr 13 22:54:25 CDT 2022
Name: Roozbeh Pournader
Report Type: Public Review Issue
Opt Subject: 450
A recent discussion on Twitter led to a potential source code security problem with JavaScript, in that it doesn't treat canonically equivalent identifiers as identical. For example, while U+1026 is canonically equivalent to <U+1025, U+102E>, they are the names of different identifiers and cause security problems: \u1026 = 1 \u1025\u102E = 2 \u1026 + \u1025\u102E Results in the output 3. This does not look like a problem in this form, but when you replace the escaped characters with actual characters, it is. Here is the thread on Twitter: https://twitter.com/FakeUnicode/status/1514447525641859073 Please forward this to the new source code security group.
Date/Time: Wed Apr 13 23:07:23 CDT 2022
Name: Roozbeh Pournader
Report Type: Public Review Issue
Opt Subject: 450
Please add this to my previous feedback on PRI 450 (from @FakeUnicode on Twitter): The spoofing is maybe not so much a problem as the potential for having code dynamically changing depending on if it has passed through a normalizer. There could be interesting phishing vectors for that. Code passes as legit when non-normalized, and malicious when normalized.