Before

<!doctype html>
<html lang="ar" dir="rtl">
	<meta charset="utf-8">
		<title>LG-001 — BEFORE (OTP accepts Arabic-Indic)</title>
		<body style="font:16px/1.6 system-ui, sans-serif; padding:24px">
			<h2 style="margin:0 0 8px">OTP (One-Time Code)</h2>
			<label for="otp" style="display:block;margin-bottom:6px">Enter the verification code</label>
			<input id="otp" name="otp" type="text" dir="rtl" inputmode="numeric" style="font-size:20px;padding:10px 12px;border:1px solid #d1d5db;border-radius:8px; width:14ch">
				<p style="margin-top:12px;color:#6b7280">
				<bdi> Accepts: <span style="font-family:inherit">١٢٣٤٥٦</span> (incorrect per policy).<br></bdi>
				</p>
		</body>
</html>



After

<!doctype html>
<html lang="ar" dir="rtl">
	<meta charset="utf-8">
		<title>LG-001 — AFTER (Latin-only OTP, LTR)</title>
		<body style="font:16px/1.6 system-ui, sans-serif; padding:24px">
			<h2 style="margin:0 0 8px">OTP (One-Time Code)</h2>
			<label for="otp" style="display:block;margin-bottom:6px">Enter the verification code</label>
			<input id="otp" name="otp" type="text" dir="ltr" inputmode="numeric" maxlength="6" pattern="^[0-9]{6}$" aria-describedby="otp-hint otp-err" style="font-size:20px;padding:10px 12px;border:1px solid #d1d5db;border-radius:8px; width:16ch;">
				<small id="otp-hint" style="display:block;margin-top:8px;color:#6b7280">
					<bdi>Use English digits 0–9 only. Example: 123456<bdi>
					<br/><bdi>Doesn't accept: <span style="font-family:inherit">١٢٣٤٥٦</span><br></bdi>

				</small>
				<small id="otp-err" style="display:block;margin-top:6px;color:#b91c1c;visibility:hidden">
					<bdi>Arabic-Indic digits ٠–٩ are not allowed — use 0–9.<bdi>
				</small>
				<script>
				  // Show a clear message if Arabic-Indic digits are typed
				  const otp = document.getElementById('otp');
				  const err = document.getElementById('otp-err');
				  otp.addEventListener('input', () => {
					const hasArabicIndic = /[\u0660-\u0669]/.test(otp.value);
					err.style.visibility = hasArabicIndic ? 'visible' : 'hidden';
				  });
				</script>

		</body>
</html>



Notes:
Severity: P1
Rule: Numerals (Tech) — OTP must use Latin 0–9
Fix: Enforce Latin digits only; LTR caret/logic; user hint; reject Arabic-Indic.
Verify: 123456 valid; ١٢٣٤٥٦ rejected with clear error; paste 123456 valid.