Skip to content

Commit ab8ce45

Browse files
author
Mathieu
committed
Reword introduction
1 parent 436acb2 commit ab8ce45

File tree

1 file changed

+19
-7
lines changed

1 file changed

+19
-7
lines changed

reference/constraints/NoSuspiciousCharacters.rst

Lines changed: 19 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -5,15 +5,25 @@ NoSuspiciousCharacters
55

66
The ``NoSuspiciousCharacters`` constraint was introduced in Symfony 6.3.
77

8-
A good thing about Unicode is that it allows to use (almost) every imaginable character.
9-
A bad thing is that this makes spoofing rather easy: "symfony.com" and "ѕymfony.com"
10-
look similar, but the latter actually starts with a `cyrillic small letter dze`_.
8+
..
9+
10+
Because Unicode contains such a large number of characters and incorporates
11+
the varied writing systems of the world, incorrect usage can expose programs
12+
or systems to possible security attacks.
13+
14+
`Unicode® Technical Standard #39`_
15+
16+
"symfony.com" and "ѕymfony.com" look similar, but the latter actually starts with a
17+
`cyrillic small letter dze`_. It could make a user think they'll navigate to Symfony's
18+
website, whereas it would be somewhere else.
19+
This is a kind of `spoofing attack`_ (called "IDN homograph attack"): it tries to
20+
identify something as something else to exploit the resulting confusion.
1121
This is why it is recommended to check user-submitted, public-facing identifiers for
12-
suspicious characters to prevent spoofing attempts.
22+
suspicious characters in order to prevent such attacks.
1323

14-
This constraint performs such validation on strings or :phpclass:`Stringable`s.
15-
As it leverages PHP's :phpclass:`Spoofchecker`, the intl extension must be enabled to
16-
use it.
24+
This constraint ensures strings or :phpclass:`Stringable`s do not include any
25+
suspicious characters. As it leverages PHP's :phpclass:`Spoofchecker`, the intl
26+
extension must be enabled to use it.
1727

1828
========== ===================================================================
1929
Applies to :ref:`property or method <validation-property-target>`
@@ -138,7 +148,9 @@ You can accept all characters by setting this option to
138148

139149
.. include:: /reference/constraints/_payload-option.rst.inc
140150

151+
.. _`Unicode® Technical Standard #39`: https://unicode.org/reports/tr39/
141152
.. _`cyrillic small letter dze`: https://graphemica.com/%D1%95
153+
.. _`spoofing attack`: https://en.wikipedia.org/wiki/Spoofing_attack
142154
.. _`single-script`: https://unicode.org/reports/tr39/#def-single-script
143155
.. _`covered`: https://unicode.org/reports/tr39/#def-cover
144156
.. _`Recommended`: https://www.unicode.org/reports/tr31/#Table_Recommended_Scripts

0 commit comments

Comments
 (0)