Enum Strategy 

#[non_exhaustive]
pub enum Strategy {
    UrlEncode,
    UrlEncodeLower,
    DoubleUrlEncode,
    TripleUrlEncode,
    UnicodeEncode,
    IisUnicodeEncode,
    JsonEncode,
    HtmlEntityEncode,
    HtmlEntityDecimalEncode,
    CaseAlternation,
    RandomCase,
    WhitespaceInsertion,
    SqlCommentInsertion,
    MysqlVersionedComment,
    NullByte,
    OverlongUtf8,
    OverlongUtf8More,
    ChunkedSplit,
    ParameterPollution,
    Base64Encode,
    Base64UrlEncode,
    HexEncode,
    Utf7Encode,
    GzipEncode,
    DeflateEncode,
    SpaceToComment,
    SpaceToDash,
    SpaceToHash,
    SpaceToPlus,
    SpaceToRandomBlank,
    PercentagePrefix,
    BetweenObfuscation,
    UnmagicQuotes,
    FullwidthEncode,
    HomoglyphEncode,
}

Available encoding strategies.

Context hints

Many strategies are only semantically correct in specific parser contexts. Use Strategy::contexts to query the applicable contexts for a strategy.

Variants (Non-exhaustive)

Non-exhaustive enums could have additional variants added in future. Therefore, when matching against variants of non-exhaustive enums, an extra wildcard arm must be added to account for any future variants.

UrlEncode

Standard URL encoding (%XX) — preserves unreserved chars per RFC 3986. Safe for: query strings, paths, form data.

UrlEncodeLower

Lowercase hex URL encoding (%xx) — same semantics as UrlEncode. Safe for: query strings, paths, form data.

DoubleUrlEncode

Double URL encoding (%25XX) — bypasses WAFs that decode once. Safe for: query strings, paths, form data.

TripleUrlEncode

Triple URL encoding (%2525XX) — bypasses WAFs that decode twice. Safe for: query strings, paths, form data.

UnicodeEncode

Unicode escape (\uXXXX) — ONLY safe when target parses JSON/JavaScript. Unsafe for: raw HTTP parameters, headers, most server frameworks.

IisUnicodeEncode

IIS/ASP percent Unicode (%uXXXX) — ONLY safe on IIS/ASP classic parsers. Unsafe for: modern servers (nginx, Apache, Node.js, etc.).

JsonEncode

JSON string encoding with Unicode escapes — ONLY safe in JSON contexts. Unsafe for: raw HTTP parameters.

HtmlEntityEncode

HTML entity encoding (&#xXX;) — ONLY safe in HTML contexts. Unsafe for: raw HTTP parameters, JSON bodies.

HtmlEntityDecimalEncode

HTML decimal entity encoding (<) — ONLY safe in HTML contexts. Unsafe for: raw HTTP parameters, JSON bodies.

CaseAlternation

Alternating case (SeLeCt) — bypasses case-sensitive keyword filters. Safe for: any text context where case is preserved.

RandomCase

Random alternating case — non-deterministic variant of CaseAlternation. Safe for: any text context where case is preserved.

WhitespaceInsertion

Tab insertion BETWEEN tokens — preserves keyword integrity. Safe for: SQL contexts where whitespace separates tokens.

SqlCommentInsertion

SQL comment insertion BETWEEN tokens — preserves keyword integrity. Safe for: SQL contexts where comments are treated as whitespace.

MysqlVersionedComment

MySQL versioned comment (/*!50000SELECT*/) — executed by MySQL, ignored by WAFs. Safe for: MySQL backends.

NullByte

Null byte injection (%00) — ONLY semantically correct for C-style string parsers. Context: php, some CGI implementations.

OverlongUtf8

Overlong UTF-8 encoding (2-byte) — ONLY works against legacy WAFs that normalize. Context: iis-6, very old frontends.

OverlongUtf8More

Extended overlong UTF-8 encoding (3-byte) — broader coverage than OverlongUtf8. Context: iis-6, very old frontends.

ChunkedSplit

Chunked transfer-encoding split — ONLY valid with Transfer-Encoding: chunked. Context: http-request-body.

ParameterPollution

HTTP parameter pollution — duplicate parameter with benign first value. Safe for: query strings, form data.

Base64Encode

Base64 encoding (standard alphabet). Safe for: headers, bodies, query strings (may need URL encoding after).

Base64UrlEncode

Base64 URL-safe encoding (-_ no padding). Safe for: URL contexts where +/ would be mangled.

HexEncode

Hex encoding. Safe for: any byte context.

Utf7Encode

UTF-7 encoding per RFC 2152. Context: legacy IIS/.NET parsers that decode UTF-7.

GzipEncode

Gzip compression — ONLY valid with Content-Encoding: gzip. Context: http-request-body.

DeflateEncode

Deflate compression — ONLY valid with Content-Encoding: deflate. Context: http-request-body.

SpaceToComment

Replace spaces with SQL comments (/**/). Safe for: SQL contexts.

SpaceToDash

Replace spaces with dash comments (--). Safe for: SQL contexts.

SpaceToHash

Replace spaces with hash comments (#). Safe for: MySQL contexts.

SpaceToPlus

Replace spaces with plus signs (+). Safe for: URL-encoded form data.

SpaceToRandomBlank

Replace spaces with random blank characters. Safe for: SQL contexts.

PercentagePrefix

Prefix each character with % — lightweight bypass. Safe for: contexts that strip % before parsing.

BetweenObfuscation

Between obfuscation (= → BETWEEN # AND #). Safe for: SQL contexts.

UnmagicQuotes

Unmagic quotes (%bf%27) — multi-byte charset quote escape. Context: PHP with GBK/Big5/Shift-JIS connections.

FullwidthEncode

Fullwidth Unicode (ＳＥＬＥＣＴuntouched) — bypasses ASCII keyword regex. Context: backends that perform NFKC normalization (Java, .NET, Python 3, PostgreSQL).

HomoglyphEncode

Homoglyph substitution — visually identical Unicode chars for ', ", <, >, =. Context: byte-level WAFs with Unicode-tolerant backends.

Implementations

impl Strategy

pub const fn as_str(&self) -> &'static str

Returns the string identifier for this encoding strategy.

pub const fn contexts(&self) -> &'static [&'static str]

Returns the parser contexts where this strategy is semantically safe.

An empty slice means the strategy is generally applicable. Callers should gate strategy application by matching these contexts against the target type (e.g., json, html, sql, php, iis-6).

Trait Implementations

impl Clone for Strategy

fn clone(&self) -> Strategy

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for Strategy

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl<'de> Deserialize<'de> for Strategy

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>

where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer.

impl PartialEq for Strategy

fn eq(&self, other: &Strategy) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl Serialize for Strategy

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>

where __S: Serializer,

Serialize this value into the given Serde serializer.

impl Copy for Strategy

impl Eq for Strategy

impl StructuralPartialEq for Strategy