#[non_exhaustive]pub enum Strategy {
Show 43 variants
UrlEncode,
UrlEncodeLower,
DoubleUrlEncode,
TripleUrlEncode,
UnicodeEncode,
IisUnicodeEncode,
JsonEncode,
HtmlEntityEncode,
HtmlEntityDecimalEncode,
CaseAlternation,
RandomCase,
WhitespaceInsertion,
SqlCommentInsertion,
MysqlVersionedComment,
NullByte,
OverlongUtf8,
OverlongUtf8More,
ChunkedSplit,
ParameterPollution,
Base64Encode,
Base64UrlEncode,
HexEncode,
Utf7Encode,
GzipEncode,
DeflateEncode,
SpaceToComment,
SpaceToDash,
SpaceToHash,
SpaceToPlus,
SpaceToRandomBlank,
PercentagePrefix,
BetweenObfuscation,
UnmagicQuotes,
FullwidthEncode,
HomoglyphEncode,
TagCharEncode,
VariationSelectorPad,
VariationSelectorSupplementaryPad,
LigatureEncode,
CircledLetterEncode,
ParenthesizedLetterEncode,
SoftHyphenInject,
WordJoinerWrap,
}Expand description
Available encoding strategies.
§Context hints
Many strategies are only semantically correct in specific parser contexts.
Use Strategy::contexts to query the applicable contexts for a strategy.
Variants (Non-exhaustive)§
This enum is marked as non-exhaustive
UrlEncode
Standard URL encoding (%XX) — preserves unreserved chars per RFC 3986. Safe for: query strings, paths, form data.
UrlEncodeLower
Lowercase hex URL encoding (%xx) — same semantics as UrlEncode.
Safe for: query strings, paths, form data.
DoubleUrlEncode
Double URL encoding (%25XX) — bypasses WAFs that decode once. Safe for: query strings, paths, form data.
TripleUrlEncode
Triple URL encoding (%2525XX) — bypasses WAFs that decode twice. Safe for: query strings, paths, form data.
UnicodeEncode
Unicode escape (\uXXXX) — ONLY safe when target parses JSON/JavaScript. Unsafe for: raw HTTP parameters, headers, most server frameworks.
IisUnicodeEncode
IIS/ASP percent Unicode (%uXXXX) — ONLY safe on IIS/ASP classic parsers. Unsafe for: modern servers (nginx, Apache, Node.js, etc.).
JsonEncode
JSON string encoding with Unicode escapes — ONLY safe in JSON contexts. Unsafe for: raw HTTP parameters.
HtmlEntityEncode
HTML entity encoding (&#xXX;) — ONLY safe in HTML contexts. Unsafe for: raw HTTP parameters, JSON bodies.
HtmlEntityDecimalEncode
HTML decimal entity encoding (<) — ONLY safe in HTML contexts. Unsafe for: raw HTTP parameters, JSON bodies.
CaseAlternation
Alternating case (SeLeCt) — bypasses case-sensitive keyword filters.
Safe for: any text context where case is preserved.
RandomCase
Random alternating case — non-deterministic variant of CaseAlternation.
Safe for: any text context where case is preserved.
WhitespaceInsertion
Tab insertion BETWEEN tokens — preserves keyword integrity. Safe for: SQL contexts where whitespace separates tokens.
SqlCommentInsertion
SQL comment insertion BETWEEN tokens — preserves keyword integrity. Safe for: SQL contexts where comments are treated as whitespace.
MysqlVersionedComment
MySQL versioned comment (/*!50000SELECT*/) — executed by MySQL, ignored by WAFs.
Safe for: MySQL backends.
NullByte
Null byte injection (%00) — ONLY semantically correct for C-style string parsers. Context: php, some CGI implementations.
OverlongUtf8
Overlong UTF-8 encoding (2-byte) — ONLY works against legacy WAFs that normalize. Context: iis-6, very old frontends.
OverlongUtf8More
Extended overlong UTF-8 encoding (3-byte) — broader coverage than OverlongUtf8.
Context: iis-6, very old frontends.
ChunkedSplit
Chunked transfer-encoding split — ONLY valid with Transfer-Encoding: chunked.
Context: http-request-body.
ParameterPollution
HTTP parameter pollution — duplicate parameter with benign first value. Safe for: query strings, form data.
Base64Encode
Base64 encoding (standard alphabet). Safe for: headers, bodies, query strings (may need URL encoding after).
Base64UrlEncode
Base64 URL-safe encoding (-_ no padding). Safe for: URL contexts where +/ would be mangled.
HexEncode
Hex encoding. Safe for: any byte context.
Utf7Encode
UTF-7 encoding per RFC 2152. Context: legacy IIS/.NET parsers that decode UTF-7.
GzipEncode
Gzip compression — ONLY valid with Content-Encoding: gzip.
Context: http-request-body.
DeflateEncode
Deflate compression — ONLY valid with Content-Encoding: deflate.
Context: http-request-body.
SpaceToComment
Replace spaces with SQL comments (/**/).
Safe for: SQL contexts.
SpaceToDash
Replace spaces with dash comments (--).
Safe for: SQL contexts.
SpaceToHash
Replace spaces with hash comments (#).
Safe for: MySQL contexts.
SpaceToPlus
Replace spaces with plus signs (+).
Safe for: URL-encoded form data.
SpaceToRandomBlank
Replace spaces with random blank characters. Safe for: SQL contexts.
PercentagePrefix
Prefix each character with % — lightweight bypass.
Safe for: contexts that strip % before parsing.
BetweenObfuscation
Between obfuscation (= → BETWEEN # AND #).
Safe for: SQL contexts.
UnmagicQuotes
Unmagic quotes (%bf%27) — multi-byte charset quote escape.
Context: PHP with GBK/Big5/Shift-JIS connections.
FullwidthEncode
Fullwidth Unicode (SELECTuntouched) — bypasses ASCII keyword regex.
Context: backends that perform NFKC normalization (Java, .NET, Python 3, PostgreSQL).
HomoglyphEncode
Homoglyph substitution — visually identical Unicode chars for ', ", <, >, =.
Context: byte-level WAFs with Unicode-tolerant backends.
TagCharEncode
Plan 9 tag-character encoding — every ASCII byte becomes
U+E0000 + byte. Renders invisible; LLM-WAF tokenizers
frequently still decode them, defeating keyword filters.
Context: any (codepoint-level transforms).
VariationSelectorPad
Append U+FE0F VARIATION SELECTOR-16 after every codepoint. Some normalizers strip it; many WAFs don’t. Context: any.
VariationSelectorSupplementaryPad
Same as VariationSelectorPad but rotates through the
supplementary range U+E0100..=U+E01EF (per-position selector).
Defeats filters that strip the basic VS range only.
Context: any.
LigatureEncode
Replace ff/fi/fl/ffi/ffl/st/ſt with their
precomposed stylistic ligature codepoints (U+FB00..=U+FB06).
NFKC decomposes back; pre-NFKC WAFs see opaque codepoints.
Context: nfkc (origins that NFKC-fold).
CircledLetterEncode
Replace ASCII letters with U+24B6..=U+24E9 circled forms. NFKC-equivalent to ASCII letters. Context: nfkc.
ParenthesizedLetterEncode
Replace ASCII letters with U+1F110..=U+1F12B (upper) /
U+249C..=U+24B5 (lower) parenthesized forms.
NFKC-equivalent to ASCII letters. Rotation partner for
FullwidthEncode / CircledLetterEncode.
Context: nfkc.
SoftHyphenInject
Inject U+00AD SOFT HYPHEN between every pair of codepoints. Visually invisible; some backends strip during normalization. Context: any.
WordJoinerWrap
Wrap each codepoint in U+2060 WORD JOINER. Zero-width, NFC-stable, NFKC strips it. Context: any.
Implementations§
Source§impl Strategy
impl Strategy
Sourcepub const fn as_str(&self) -> &'static str
pub const fn as_str(&self) -> &'static str
Returns the string identifier for this encoding strategy.
Sourcepub const fn contexts(&self) -> &'static [&'static str]
pub const fn contexts(&self) -> &'static [&'static str]
Returns the parser contexts where this strategy is semantically safe.
An empty slice means the strategy is generally applicable.
Callers should gate strategy application by matching these contexts
against the target type (e.g., json, html, sql, php, iis-6).
Trait Implementations§
impl Copy for Strategy
Source§impl<'de> Deserialize<'de> for Strategy
impl<'de> Deserialize<'de> for Strategy
Source§fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>where
__D: Deserializer<'de>,
fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>where
__D: Deserializer<'de>,
impl Eq for Strategy
impl StructuralPartialEq for Strategy
Auto Trait Implementations§
impl Freeze for Strategy
impl RefUnwindSafe for Strategy
impl Send for Strategy
impl Sync for Strategy
impl Unpin for Strategy
impl UnsafeUnpin for Strategy
impl UnwindSafe for Strategy
Blanket Implementations§
Source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
Source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
impl<ST, DT> CastableFrom<ST, Initialized, Initialized> for DT
impl<ST, DT> CastableFrom<ST, Uninit, Uninit> for DT
Source§impl<T> CloneToUninit for Twhere
T: Clone,
impl<T> CloneToUninit for Twhere
T: Clone,
impl<T> DeserializeOwned for Twhere
T: for<'de> Deserialize<'de>,
Source§impl<Q, K> Equivalent<K> for Q
impl<Q, K> Equivalent<K> for Q
Source§impl<Q, K> Equivalent<K> for Q
impl<Q, K> Equivalent<K> for Q
Source§fn equivalent(&self, key: &K) -> bool
fn equivalent(&self, key: &K) -> bool
key and return true if they are equal.