Defenses: Dangerous tags/handlers are stripped. After filtering, the input is normalized using Unicode NFKC (e.g., to fix typography).
Search for a query. The server filters out scripts and event handlers, then normalizes the text to ensure consistent typography.
CONCEPT: Unicode Normalization Bypass
Unicode Normalization (like NFKC or NFKD) converts characters into a standard canonical form. For example, it might convert a fancy circled '①' into a standard '1', or fullwidth characters '<' into standard ASCII '<'. If a security filter runs before normalization, an attacker can input dangerous payloads using exotic Unicode variants. The filter sees them as harmless text and lets them pass. Then, the normalization step converts them into dangerous ASCII characters just before they are stored or rendered. Rule of Thumb: Always normalize input before validating or filtering.