The security concerns are those of "Trojan source", where the displayed text doesn't correspond to the bytes on the wire.[1]

I don't think a wire protocol should necessarily restrict them, for the sake of compatibility with existing text corpus out there, but a fair observation.

1: https://trojansource.codes/

▲

yencabulator 4 days ago | parent [-]

The enforcement is an app-level issue, depending on the semantics of the field. I agree it doesn't belong in the low-level transport protocol.

The rules for "username", "display name", "biography", "email address", "email body" and "contents of uploaded file with name foo.txt" are not all going to be the same.

▲

Waterluvian 4 days ago | parent [-]

Can a regular expression be used to restrict Unicode chars like the ones described?

I’m imagining a listing of regex rules for the various gotchas, and then a validation-level use that unions the ones you want.

▲

fluoridation 3 days ago | parent [-]

Why would you need a regular expression for that? It's just a list of characters.

	▲	Waterluvian 3 days ago \| parent [-]
		There’s cases where certain characters coming before or after others is what creates the issue.