pub fn turkish_i_encode(payload: &str) -> StringExpand description
Turkish dotless-i substitution: replace i/I with U+0131/U+0130.
U+0131 LATIN SMALL LETTER DOTLESS I does NOT ASCII-uppercase to I
(it only uppercases to I in Turkish locale). A WAF that performs
ASCII case-fold via Lua string.lower or PHP strtolower (CRS
default) misses scrıpt when looking for script. The HTML5 spec
requires browsers to normalise U+0131 to i in tag names, so
<scrıpt>alert(1)</scrıpt> renders as a script tag.
CVE-class: GitHub auth byass via Turkish dotless-i (dev.to 2018).