Posted by: Barracuda labs
Unicode encoding-based filter evasions have been around for years and we thought web developers would write filters to cover it all. However, it seems that is not true. The new round has come with Arian Evans and Jeremiah Grossman testing a unicode-encoded left (%u00AB) and right (%u00BB) angle quotation mark for getting around XSS filters. They hinted at it 2 years ago but did not get a chance to actually testing it until now (nobody else did either as there is no mention of it on the XSS cheat sheet).
Lessons learned, security is a state at a given time. Once achieved it does not hold forever. You need to constantly evaluate and update it to counter new attacks.