Remark about bypassing host list with punycode.

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>

library/HTMLPurifier/URIFilter/HostBlacklist.php

@@ -1,5 +1,9 @@
 <?php
 
+// It's not clear to me whether or not Punycode means that hostnames
+// do not have canonical forms anymore. As far as I can tell, it's
+// not a problem (punycoding should be identity when no Unicode
+// points are involved), but I'm not 100% sure
 class HTMLPurifier_URIFilter_HostBlacklist extends HTMLPurifier_URIFilter
 {
     public $name = 'HostBlacklist';