CWE-1007: Insufficient Visual Distinction of Homoglyphs Presented to User What about the case where the program processing it fails to properly normalize the text (e.g. realize that it doesn't matter if smart quotes or not, or an ASCII a or different a is used?) in the case of Grammarly:
https://hackerone.com/reports/1282282 I don't believe this falls into CWE-180: Incorrect Behavior Order: Validate Before Canonicalize because you can't necessarily canonicalize random user text input, e.g. maybe they used a Hungarian word on purpose. This is more like a source code matching problem where they renamed some variables but the "meaning" is still the same. -- Kurt Seifried (He/Him) k...@seifried.org