Invisible Character Detector

How to Use the Invisible Character Detector

1. Paste your suspicious text into the large input area. The scan runs automatically on every keystroke, so you do not need to click a button.
2. Read the summary card at the top. It lists how many invisible characters were found, broken down by Unicode category (zero-width, bidi control, spaces, BOM, separators).
3. Open the details table to see each occurrence with its code point, Unicode name, and byte offset into the input, so you can jump to the exact spot in your editor.
4. Scroll the highlighted preview below the table. Every hidden character is replaced with a colored tag such as [U+200B] so you can visually locate the intrusion.
5. Click Clean Text to strip every detected character in place, or Copy Cleaned Text if you prefer to keep the original in the textarea untouched.
6. Paste the cleaned result back into your editor, commit, or paste wherever the malformed text originated.

Under the Hood

The detector walks the input with Array.from(str) so it iterates over Unicode code points rather than UTF-16 code units, then checks each code point against a curated set of categories: Cf (format control), Cc (control), Zs (space separators other than U+0020), Zl (line separator), Zp (paragraph separator), and a specific allow-list of zero-width joiners, variation selectors, and bidi marks. Decisions are driven by the code point itself, not the character's visual rendering, so glyphs missing in your system font do not cause false positives. The highlighting pass replaces each detected character with a <span> tag using DOM text nodes rather than innerHTML, which means the preview cannot accidentally inject executable markup even for pathological inputs.

Why You Would Run Text Through This

• A copy-pasted shell command keeps failing with "command not found" because a zero-width space hides between git and status.
• Your programming language's string comparison returns false for two values that look identical on screen.
• You pasted a password from a password manager and authentication fails because a bidirectional mark rode along.
• A JSON file fails to parse with a cryptic "Unexpected token" error at column 1 because of a UTF-8 BOM.
• You received a Word document export that contains soft hyphens (U+00AD) that break grep and line-wrap mid-word.
• You are auditing an AI-generated response to check for homoglyph attacks or Trojan Source-style hidden control characters before shipping it to production.

Common Pitfalls and Edge Cases

• ZWJ emoji sequences. The family-of-four emoji joins four people with zero-width joiners (U+200D). Those are intentional and removing them breaks the composed glyph. The detector flags them but you should keep them.
• Variation selectors. U+FE0F changes a base character into its emoji presentation (like the red heart). Stripping it can turn colorful emoji back into plain text glyphs.
• Arabic and Hebrew bidi marks. U+200E (LRM) and U+200F (RLM) can be legitimate in right-to-left text. Blindly removing them can break sentence ordering.
• The UTF-8 BOM (U+FEFF). Harmless in most text editors but will break shebang parsing (#!/bin/sh), JSON parsers, and HTTP Content-Type sniffing when it appears at the start of a file.
• Non-breaking space (U+00A0). Visually identical to a normal space but is not recognized by \\s in some regex flavors and fails to split with str.split(' ').
• Tabs and regular spaces are not flagged, because they are visible whitespace. Use the Whitespace Remover tool if you need to strip them.

Unicode Category Background

Every Unicode code point is assigned a General_Category property that groups it into classes such as Letter, Number, Punctuation, Symbol, Mark, Separator, or Other. The "invisible" class is not a single category - it is an informal union drawn from several: Cf (format characters like zero-width joiners and bidi marks), Cc (control codes like NULL and the shell beep), Zl and Zp (line and paragraph separators U+2028 and U+2029), and many of the Zs space characters beyond U+0020 (en space, em space, hair space, mongolian vowel separator). Unicode Technical Standard #39 (Unicode Security Mechanisms) and the Trojan Source research paper (CVE-2021-42574) document how these characters can be weaponized to sneak malicious code past human review. Unicode UAX #31, covering identifier syntax, recommends restricting programming-language identifiers to a conservative subset to prevent such attacks.

Comparison to Alternatives

On Linux you can spot invisible characters with cat -A, which converts non-printables to caret notation, or with hexdump -C for byte-level certainty. Editors such as VS Code, Sublime Text, and JetBrains IDEs have optional rendering of whitespace and bidi characters that reveals them inline. Many language linters (for example eslint-plugin-no-bidi and gitleaks) flag Trojan Source and homoglyph attacks at commit time. The npm package strip-invisible-characters or the Python unicodedata module let you script the cleanup at build time. Use this web detector when you have a snippet you received via chat or email and want an instant visual breakdown without opening a terminal or installing plugins - especially useful on a Chromebook, a phone, or a locked-down work laptop.