Tweetdeck was XSSed using unicode in June 2014. If you want to understand how these kinds of attacks work, you should really come see this talk.
If you don't care about unicode, you really need to see this talk.
Hacking with Unicode
This presentation explores common mistakes made by programmers when dealing with Unicode support and character encodings on the Web. Foreach mistake, I will explain how to fix/prevent it, but also how it could possibly be exploited.