# Improper Handling of Unicode Encoding (CWE-176)

The product does not properly handle when an input contains Unicode encoding.

**Stack:** Go

- Prevalence: Moyenne 3 langages couverts
- Impact: Moyen Revue recommandée
- Prevention: Documentée 3 exemples de correctifs

**OWASP:** Injection (A03:2021-Injection) - #3

## Description

Unicode characters can have multiple encodings or representations. If an application does not properly handle Unicode, attackers may be able to bypass security filters or cause unexpected behavior using alternate encodings.

## Prevention

Stratégies de prévention pour Improper Handling of Unicode basées sur 1 règles de détection Shoulder.

### Go

Normalize strings with NFKC before security-sensitive comparisons

## Consequences

- Contourner le mécanisme de protection
- Exécuter du code non autorisé

## Mitigations

- Normalisez les entrées Unicode en forme canonique avant traitement
- Appliquez les contrôles de sécurité après la normalisation Unicode
- Utilisez des fonctions de comparaison qui prennent en compte Unicode

## Detection

- Total rules: 3
- Languages: go, javascript, typescript, python

## Rules by Language

### Go (1 rules)

- **Unicode Normalization Security Issues** [MEDIUM]: Security-sensitive string comparison without Unicode normalization.
  - Remediation: Normalize strings with NFKC before security-sensitive comparisons.

```go
import "golang.org/x/text/unicode/norm"

func isAdmin(username string) bool {
    normalized := norm.NFKC.String(strings.ToLower(username))
    return normalized == "admin"
}
```

Learn more: https://shoulder.dev/learn/go/cwe-176/unicode-normalization