pub fn math_bold_encode(payload: &str) -> StringExpand description
Mathematical Alphanumeric Symbols encoding — replaces ASCII letters and
digits with their Math-Bold counterparts in the Unicode U+1D400 block.
A–Z → U+1D400–U+1D419 (Math Bold Capitals: 𝐀 𝐁 … 𝐙)
a–z → U+1D41A–U+1D433 (Math Bold Smalls: 𝐚 𝐛 … 𝐳)
0–9 → U+1D7CE–U+1D7D7 (Math Bold Digits: 𝟎 𝟏 … 𝟗)
Everything else is passed through unchanged (punctuation, spaces, etc.,
keep working as SQL/HTML syntax).
Bypass mechanism: every codepoint in this range NFKC-normalises back
to its plain-ASCII counterpart. Databases / frameworks that perform NFKC
normalisation (PostgreSQL with ICU collations, MySQL
utf8mb4_0900_ai_ci, Java Normalizer.normalize(s, NFKC), Python
unicodedata.normalize('NFKC', s), Go golang.org/x/text/unicode/norm)
see the original SELECT / UNION / script keyword and execute /
render it. WAFs scanning bytes for ASCII keywords see codepoints in the
U+1D400 block — no keyword match.
Distinct from fullwidth_encode: fullwidth uses the U+FF00
Halfwidth-and-Fullwidth-Forms block. Math Alphanumeric uses the
U+1D400 block — different code range, different WAF coverage gap.
WAFs that block fullwidth (a common technique since 2020) often do not
also block Math Alphanumeric Symbols. Both encode-paths NFKC to ASCII.
Context: any target whose backend NFKC-normalises before parsing.
Confirmed targets: PostgreSQL ICU + MySQL utf8mb4_0900_ai_ci
SQL identifiers, Java/Spring Boot path matching, .NET String.Normalize.