Невидимый символ

What Are Invisible Characters?

Invisible characters are Unicode code points that have no visible glyph — they render as nothing in normal circumstances, yet they occupy space in a string and can affect text layout, rendering, and processing. They include format characters, zero-width characters, and various control or separator code points.

Invisible characters are legitimate and useful in proper typography and internationalization, but they are also exploited for obfuscation, invisible text, and bypassing filters.

Categories of Invisible Characters

Zero-Width Characters

These have no advance width in text layout:

Format Characters (Cf)

Non-Printing Control Characters

U+0000–U+001F (C0 controls) and U+007F–U+009F (C1 controls) are mostly invisible and have no standard rendering.

Detecting Invisible Characters

import unicodedata

def is_invisible(char: str) -> bool:
    cat = unicodedata.category(char)
    # Cf = Format, Cc = Control, Cs = Surrogate
    return cat in ("Cf", "Cc") or unicodedata.combining(char) != 0

def find_invisible(text: str) -> list[tuple[int, str, str]]:
    return [
        (i, hex(ord(c)), unicodedata.name(c, "UNKNOWN"))
        for i, c in enumerate(text)
        if is_invisible(c)
    ]

text = "Hello\u200BWorld\u200D!"
find_invisible(text)
# [(5, "0x200b", "ZERO WIDTH SPACE"),
#  (11, "0x200d", "ZERO WIDTH JOINER")]

# Stripping all invisible characters
import regex  # pip install regex
def strip_invisible(text: str) -> str:
    return regex.sub(r"\p{Cf}", "", text)

strip_invisible("Hello\u200BWorld")  # "HelloWorld"

JavaScript Detection

// Detect zero-width and format characters
function findInvisible(text) {
  const results = [];
  for (const [i, char] of [...text].entries()) {
    const cp = char.codePointAt(0);
    if (
      (cp >= 0x200B && cp <= 0x200F) ||  // ZW space, joiners, marks
      (cp >= 0x202A && cp <= 0x202E) ||  // bidi controls
      cp === 0x2060 || cp === 0xFEFF ||
      (cp >= 0x2061 && cp <= 0x2064)
    ) {
      results.push({ index: i, codePoint: cp.toString(16), char });
    }
  }
  return results;
}

// Strip format characters using Unicode property
const stripped = text.replace(/\p{Cf}/gu, "");

Legitimate Uses

# ZWJ in emoji sequences (family emoji)
family = "👨\u200D👩\u200D👧"   # 👨‍👩‍👧 one grapheme

# ZWNJ for Persian/Arabic (prevent unwanted ligature)
correct = "می\u200Cکنم"          # correct word separation in Persian

# LRM/RLM for bidi text
mixed = "Hello \u200Eمرحبا"       # force LTR context around Arabic

Security Considerations

Invisible characters are used for:

1. Text fingerprinting/watermarking: Embedding hidden patterns to track document leaks.
2. Bypassing content filters: c\u200Ba\u200Bt to write "cat" while evading text matching.
3. Homograph attacks: Hidden bidi overrides can reverse text direction in filenames or URLs.
4. Obfuscating malicious strings: Zero-width characters interspersed in code.

# Security: normalize input by stripping Cf characters
import unicodedata
def sanitize(text: str) -> str:
    # Remove format characters
    cleaned = "".join(c for c in text if unicodedata.category(c) != "Cf")
    # NFC normalize
    return unicodedata.normalize("NFC", cleaned)

Quick Facts