Skip to main content

zero_width_inject

Function zero_width_inject 

Source
pub fn zero_width_inject(payload: &str, invisible_char: char) -> String
Expand description

Inject zero-width / format characters between letters of payload.

chars selects which invisible char to insert; positions controls where (every-other / per-keyword-letter / FNV-seeded). The output is byte-distinct from the input but visually identical AND, for chars = ZERO_WIDTH_DEFAULTS, semantically equivalent to most HTML and SQL parsers (which strip U+200B–200D / U+FEFF on parse).

Sucuri-documented XSS bypass <scr​ipt>alert(1)</scr​ipt> uses U+200B between scr and ipt; the WAF regex /script/i misses; the browser’s HTML parser drops the ZWSP and renders.

Use ZERO_WIDTH_DEFAULTS for the recommended cycle of [U+200B, U+200C, U+200D, U+FEFF, U+034F] — rotating across these per-position defeats WAFs that have hardcoded a single zero-width stripper.