Home/ Questions/Q 7859051
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-02T21:44:56+00:00

Are there any real dangers to user-input unicode, that isn’t handled by user agent

  • 0

Are there any real dangers to user-input unicode, that isn’t handled by user agent / browser, etc?

Obviously from server to client, there’s a real threat of spoofing, but i’m trying to figure out what concrete ‘attacks’ (if any) or grievances i should be aware when treating unicode input.

The question is language agnostic, but i am making this question having in mind the security implications on a GWT application.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I can think of several issues with user controlled unicode strings:

    1. There are multiple ways to express equivalent strings in unicode. For example ä can be expressed as single codepoint, or as a followed by a combining ¨. Unicode normalization helps against most of these issues.
    2. There are characters which allow strange caret movements. I’ve heard of a chat where you could place your message over somebody else’s message. Which got them banned for saying inappropriate things, because the admins didn’t realize who actually sent said message.
    3. There are look alike characters. For example there are some Russian or Greek characters that are optically indistinguishable from their ASCII equivalents. That’s very problematic of a string should uniquely identify something. For example usernames or domains. Similar to the classical l vs I problem, except much worse.
    4. With UTF-8 and UTF-16, splitting a string in the middle of a codepoint might cause some issues.
    5. Some operations on a string might change its lengths unexpectedly. For example uppercasing a string might make it longer.

    There are probably more issues, I’m certainly no expert on unicode

    • 0