Its rare to find devs anticipating Unicode control characters showing up in user input. And the most fun when unanticipated is the Right-To-Left Override character U+202E. Unicode characters have an implicit direction so that for example by default Hebrew characters are rendered from right to left, and English characters are rendered left to right. The override characters force an explicit direction for all the text that follows.
I chose my Twitter display name to include the HTML encoding of the Right-To-Left Override character
#x202E; as a sort of joke or shout out to my favorite Unicode control character.
I did not anticipate that some Twitter clients in some of their UI would fail to encode it correctly. There's no way I can remove that from my display name now.
Try it on Amazon.
An interesting way to use the report-uri feature of CSP to detect if a user is logged into Google, Facebook etc.
A high-profile fork: one year of Blink and Webkit
Some stats and analysis at a very high level of the Blink fork from Webkit.
Google’s XSS training game. Learn how to find XSS issues for fun and profit.
Redmond finally joins Google, Mozilla, by offering cash rewards for security flaws.
Good news everyone! Of course Microsoft employees are not eligible but that’s probably for the best.