PDF fonts, encodings, and risk potentials interacting with web browser

I once encountered a very interesting type of XSS on a website purely by accident. This website allows users to upload PDFs, and will open the PDF in browser with some builtin Javascript. What happened was I uploaded a paper of mine that contains a text <script>alert()</script>, and when I tried to open the PDF, the script magically got executed in the browser. I reported this issues to the webmaster, they fixed it but did not tell me what have happened. What I have also found is that this above text must be in a certain font so it will be executed (unfortunately I forgot what font it was).

Today, I was copying a piece of text from a PDF that was saved off a web page, and paste the text to a word document, and I found what displayed in the PDF as “certified” became “certiÕed”. Again, it only happens to a certain font, the font in that PDF is “open sans”, a wired font that my PDF editor does not have, but can still display.

I have very limited knowledge about PDF and fonts and encoding, I wonder if someone knowledgeable can explain what are the underlying reasons of my first and second observation. The first one is definitely a XSS breach, but does the second may bear any security risk?