You should never, ever render user-supplied content as UTF-16 on the Web. Fortunately, the defense is easy: Always serve UTF-8. Here’s a demo of the exploit:
Here is some mojibake. To fix it, use the character encoding menu to choose another encoding.
猼牣灩㹴愠敬瑲∨単≓㬩⼼捳楲瑰‾