I've just committed the Unicode validation feature to the CVS. It is a very good thing to have if the application or the operating system support and/or understand Unicode. Most importantly, this feature will protect from attacks where an ASCII character is encoded with more than one byte thus avoiding detection. In addition to this, ModSecurity checks that there is sufficient number of bytes available, and that all bits in all bytes have correct values. For a detailed description of the Unicode attack have a look at the OWASP guide.