From 3b2baa7336df25ca99532ec904a7ffbdac5e94f7 Mon Sep 17 00:00:00 2001
From: Justin Grant <justingrant@users.noreply.github.com>
Date: Tue, 18 Apr 2023 14:37:06 -0700
Subject: [PATCH] Polyfill: Add comment explaining ASCIILowercase AO

Suggested by @12wrigja in
https://github.com/js-temporal/temporal-polyfill/pull/244/files#r1169245765
---
 polyfill/lib/ecmascript.mjs | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/polyfill/lib/ecmascript.mjs b/polyfill/lib/ecmascript.mjs
index 70c8fd2b02..81176f6afb 100644
--- a/polyfill/lib/ecmascript.mjs
+++ b/polyfill/lib/ecmascript.mjs
@@ -5419,6 +5419,12 @@ export function IsBuiltinCalendar(id) {
 }
 
 export function ASCIILowercase(str) {
+  // The spec defines this operation distinct from String.prototype.lowercase,
+  // so we'll follow the spec here. Note that nasty security issues that can
+  // happen for some use cases if you're comparing case-modified non-ASCII
+  // values. For example, Turkish's "I" character was the source of a security
+  // issue involving "file://" URLs. See
+  // https://haacked.com/archive/2012/07/05/turkish-i-problem-and-why-you-should-care.aspx/.
   return Call(StringPrototypeReplace, str, [
     /[A-Z]/g,
     (l) => {