Skip to content

Commit

Permalink
Refine security considerations for Display Strings
Browse files Browse the repository at this point in the history
Fixes #2615.
  • Loading branch information
mnot committed Oct 13, 2023
1 parent fcc3bc4 commit 85816ef
Showing 1 changed file with 8 additions and 1 deletion.
9 changes: 8 additions & 1 deletion draft-ietf-httpbis-sfbis.md
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,13 @@ informative:
RFC9113:
display: HTTP/2
HPACK: RFC7541
UNICODE-SECURITY:
title: Unicode Security Considerations
author:
- name: Mark Davis
- name: Michel Suignard
date: 2014-09-19
target: http://www.unicode.org/reports/tr36/

venue:
group: HTTP
Expand Down Expand Up @@ -1042,7 +1049,7 @@ The size of most types defined by Structured Fields is not limited; as a result,
It is possible for parties with the ability to inject new HTTP fields to change the meaning
of a Structured Field. In some circumstances, this will cause parsing to fail, but it is not possible to reliably fail in all such circumstances.

The Display String type conveys a Unicode string without any form of sanitization. Applications using these values need to perform their own checks on their content; for example, they might contain escape sequences, or NUL. Mitigation strategies include escaping untrusted content before displaying it.
The Display String type can convey all possible Unicode code points without any form of sanitization; for example, they might contain, for example, unassigned code points, surrogates, control points (including NUL), or non-characters. Theefore, applications consuming Display Strings need to consider strategies such as filtering or escaping untrusted content before displaying it. See also {{UNICODE-SECURITY}} and {{?I-D.draft-bray-unichars}}.

--- back

Expand Down

0 comments on commit 85816ef

Please sign in to comment.