# Improper Handling of Unicode Encoding (CWE-176)

The product does not properly handle when an input contains Unicode encoding.

**Stack:** Go

- Prevalence: Medium 3 languages covered
- Impact: Medium Review recommended
- Prevention: Documented 3 fix examples

**OWASP:** Injection (A03:2021-Injection) - #3

## Description

Unicode characters can have multiple encodings or representations. If an application does not properly handle Unicode, attackers may be able to bypass security filters or cause unexpected behavior using alternate encodings.

## Prevention

Prevention strategies for Improper Handling of Unicode based on 1 Shoulder detection rules.

### Go

Normalize strings with NFKC before security-sensitive comparisons

## Consequences

- Bypass Protection Mechanism
- Execute Unauthorized Code

## Mitigations

- Normalize Unicode input to a canonical form before processing
- Apply security checks after Unicode normalization
- Use Unicode-aware comparison functions

## Detection

- Total rules: 3
- Languages: go, javascript, typescript, python

## Rules by Language

### Go (1 rules)

- **Unicode Normalization Security Issues** [MEDIUM]: Security-sensitive string comparison without Unicode normalization.
  - Remediation: Normalize strings with NFKC before security-sensitive comparisons.

```go
import "golang.org/x/text/unicode/norm"

func isAdmin(username string) bool {
    normalized := norm.NFKC.String(strings.ToLower(username))
    return normalized == "admin"
}
```

Learn more: https://shoulder.dev/learn/go/cwe-176/unicode-normalization