Hidden Character Finder
A comprehensive sweep for all known invisible Unicode characters — from everyday non-breaking spaces to critical-risk Unicode tag characters used in AI prompt injection attacks.
The Unicode standard defines many code points that produce no visible glyph. They range from harmless typographic helpers (soft hyphen U+00AD, thin space U+2009) to security-critical control characters that can deceive code reviewers or inject hidden instructions into AI-processed text. The Invisible Unicode Character Detector covers all of them across four risk levels:
- Critical — Unicode tag characters (U+E0001–U+E007F): The "Tags" Unicode block is completely invisible in all mainstream text editors, terminals, and web browsers. In 2024 and 2025, security researchers demonstrated that tag characters can carry invisible instructions that AI language models read and act on, while human reviewers see nothing — prompt injection via hidden text.
- High — BiDi control characters (U+200E, U+200F, U+061C, U+202A–U+202E, U+2066–U+2069): Used in the Trojan Source (CVE-2021-42574) attack to make malicious source code appear benign to reviewers.
- Medium — Zero-width characters (U+200B, U+200C, U+200D, U+FEFF): Break string comparisons and identifier matching in code, configuration files, and data.
- Low — Non-breaking spaces and typographic spaces (U+00A0, U+2000–U+200A, etc.): Usually benign but cause unexpected behaviour in YAML, Markdown, and shell scripts.
How to find hidden characters
- Open the Invisible Unicode Character Detector and paste the text you want to inspect.
- Click Analyze. The tool iterates every Unicode code point and reports all invisible characters found, sorted from Critical down to Low risk, with exact codepoints and counts.
- Review the results table. For Critical or High findings, treat the source as potentially malicious. Use the Cleaned text output for a safe copy with all hidden characters removed.
Related tools
- Full invisible character scan — main tool with all categories
- Detect zero-width characters — ZWSP, ZWJ, ZWNJ focus
- BiDi override attack checker — Trojan Source CVE-2021-42574
- Zero-width space checker — targeted U+200B detection