pub fn zero_width_inject(payload: &str, invisible_char: char) -> StringExpand description
Inject zero-width / format characters between letters of payload.
chars selects which invisible char to insert; positions controls
where (every-other / per-keyword-letter / FNV-seeded). The output
is byte-distinct from the input but visually identical AND, for
chars = ZERO_WIDTH_DEFAULTS, semantically equivalent to most HTML
and SQL parsers (which strip U+200B–200D / U+FEFF on parse).
Sucuri-documented XSS bypass <script>alert(1)</script>
uses U+200B between scr and ipt; the WAF regex /script/i
misses; the browser’s HTML parser drops the ZWSP and renders.
Use ZERO_WIDTH_DEFAULTS for the recommended cycle of
[U+200B, U+200C, U+200D, U+FEFF, U+034F] — rotating across these
per-position defeats WAFs that have hardcoded a single zero-width
stripper.