

Unicode Security Considerations - alexkon
http://www.unicode.org/reports/tr36/

======
mbrubeck
It doesn't mention my favorite Unicode attack, which is using UTF-7 to evade
content filters or fool heuristic encoding-sniffers:

[http://security-sh3ll.blogspot.com/2009/05/exploiting-
ie8-ut...](http://security-sh3ll.blogspot.com/2009/05/exploiting-
ie8-utf-7-xss-vulnerability.html)

------
lsb
_Font technologies such as TrueType/OpenType are extremely powerful. A glyph
in such a font actually may use a small programs to deform the shape radically
according to resolution, platform, or language. This is used to chose an
optimal shape for the character under different conditions. However, it can
also be used in a security attack, since it is powerful enough to change the
appearance of, say "$100.00" on the screen to "$200.00" when printed._

Important to keep in mind, what with all the new web font capabilities.

