@laemeur Hm, apparently we only remove those things on stuff run through common_purify() (i.e. notice HTML content), in:
function common_remove_unicode_formatting($text)
{
// Strip Unicode text formatting/direction codes
// this is pretty dangerous for visualisation of text and can be used for mischief
return preg_replace('/[\\x{200b}-\\x{200f}\\x{202a}-\\x{202e}]/u', '', $text);
}
I don't think they're as problematic for single elements like profile names and such, though. As you say, it's only valid for that block, so users can't really hide any nasty stuff using those control codes. Afaik.