Punycode encode U+0138 in the host of a displayed URL

achristensen07 · achristensen07 · commit 2103ad5a4626 · 2026-02-07T09:57:58.000-08:00
https://bugs.webkit.org/show_bug.cgi?id=306981 rdar://166796168 Reviewed by Tim Nguyen. It is punycode encoded when displayed in Chrome and Firefox. It doesn't meet our usual requirement for considering a spoofing character because it is visually distinguishable from k, but since other browsers have already done this and since its linguistic use seems to have been replaced by q, let's do the same. Test: Tools/TestWebKitAPI/Tests/WTF/cocoa/URLExtras.mm * Source/WTF/wtf/URLHelpers.cpp: (WTF::URLHelpers::isLookalikeCharacter): * Tools/TestWebKitAPI/Tests/WTF/cocoa/URLExtras.mm: (TestWebKitAPI::TEST(URLExtras, URLExtras_Spoof)): Canonical link: https://commits.webkit.org/307005@main
diff --git a/Source/WTF/wtf/URLHelpers.cpp b/Source/WTF/wtf/URLHelpers.cpp
@@ -220,6 +220,7 @@ static bool isLookalikeCharacter(const std::optional<char32_t>& previousCodePoin
     case 0x00BD: /* VULGAR FRACTION ONE HALF */
     case 0x00BE: /* VULGAR FRACTION THREE QUARTERS */
     /* 0x0131 LATIN SMALL LETTER DOTLESS I is intentionally not considered a lookalike character because it is visually distinguishable from i and it has legitimate use in the Turkish language. */
+    case 0x0138: /* LATIN SMALL LETTER KRA */
     case 0x01C0: /* LATIN LETTER DENTAL CLICK */
     case 0x01C3: /* LATIN LETTER RETROFLEX CLICK */
     case 0x1E9C: /* LATIN SMALL LETTER LONG S WITH DIAGONAL STROKE */
diff --git a/Tools/TestWebKitAPI/Tests/WTF/cocoa/URLExtras.mm b/Tools/TestWebKitAPI/Tests/WTF/cocoa/URLExtras.mm
@@ -174,6 +174,7 @@
         "xn--ikg"_s, // U+1E9C
         "xn--jkg"_s, // U+1E9D
         "xn--cng"_s, // U+1EFE or U+1EFF
+        "xn--jfa"_s, // U+0138
     };
     for (auto& host : punycodedSpoofHosts) {
         auto url = makeString("http://"_s, host, '/').utf8();
