The syntax %uhhhh is a non-standard version of the well-known encoding, in which you can specify a Unicode character directly by its code point, and not by its encoded code point, as some languages ββsupport \uhhhh . This syntax is supported by the JavaScripts unescape function, as well as the Microsfts IIS web server.
But that is probably not the reason, since %u00AB will display on. Β« The reason for this is rather a kind of transliteration as iconv icons :
iconv('UTF-8', 'ASCII//TRANSLIT', 'Β«') === '<<' iconv('UTF-8', 'KOI8-R//TRANSLIT', 'Β«') === '<<'
And according to Jeremy Grossmans on the "Results" blog, "Unicode left / right," indicating "End quote with double angel" , citing this vulnerability, the number of vulnerable applications summarize:
Arian promised to return to 3APA3A after scanning several hundred production sites using the WhiteHat Sentinel . The huge advantage of the R & D platform. Two years later, there is data to share. We were busy, but hey, better late, never? :) As it turned out, 3APA3A was right! Arian discovered a small number of web applications that are vulnerable to coding technology, and they add up if the sample pool is large enough. Samples from 300 to approximately 1000 sites.
Gumbo source share