This tweet describes an interesting behavior: certain non-ASCII characters map to ASCII characters when converted to upper- or lower-case. Specifically:
ı (\u0131) to upper-case --> I
ſ (\u017f) to upper-case --> S
İ (\u0130) to lower-case --> i
K (\u212a) to lower-case --> k
This can help bypass XSS filters and blacklists. For example, the filter in the app below can be bypassed by ?name=<ſcript src="/alert1.js"></script>.
vulnerable-app.py
12345678910111213
fromflaskimportFlask,request,Responseapp=Flask(__name__)@app.route("/")defmain():name=request.args.get('name')or'guest'if'<script'inname.lower():return'XSS DENIED!'return'<html>Welcome, '+name.upper()+'!</html>'@app.route("/ALERT1.JS")#normally hosted on attacker sitedefalert1():return'alert(1)'