Skip to main content

turkish_i_encode

Function turkish_i_encode 

Source
pub fn turkish_i_encode(payload: &str) -> String
Expand description

Turkish dotless-i substitution: replace i/I with U+0131/U+0130.

U+0131 LATIN SMALL LETTER DOTLESS I does NOT ASCII-uppercase to I (it only uppercases to I in Turkish locale). A WAF that performs ASCII case-fold via Lua string.lower or PHP strtolower (CRS default) misses scrıpt when looking for script. The HTML5 spec requires browsers to normalise U+0131 to i in tag names, so <scrıpt>alert(1)</scrıpt> renders as a script tag.

CVE-class: GitHub auth byass via Turkish dotless-i (dev.to 2018).