The word filter can be easily evaded using control characters (unicode characters 00 - 0F). It does not work with NUL (00), but I have tested it with SOH and STX and it works with both of them. When the user posts, all they have to do is insert on of these control characters into the word they don't want to be filtered, and it is allowed in the post.

My proposed fix, which I would be happy to implement myself, would be to simply strip all control characters from the post. I've never seen a control character used genuinely on a bulletin board.

If you want to replicate this yourself and your keyboard doesn't allow you to type these characters, go into a javascript console (easiest) and type document.log('wo\u0001rd'). You will not be able to see the control character.