There are a number of other areas of HTML5 which need security review. For a simple example, I'm concerned about the sections of HTML5 which seem to imply that a IRI is shown to the user as some kind of validation of the link that is going to be followed. This is more problematic than usual when non-ASCII characters are allowed in URIs / IRIs / URLs. -- Larry Masinter 2009-12-08
Note discussion about IRIs and IDNs. See also: IDN_Spoofing discussion -- Thomas Roessler 2009-12-08
