It was discovered that icu, the internal components for Unicode, did not properly sanitise invalid encoded data, which could lead to crosssite scripting attacks.