Skip to content

Homoglyph & Invisible Character Detector

What This Tool Does

Homoglyph & Invisible Character Detector is built for deterministic developer and agent workflows.

Detect zero-width characters, bidi overrides, and homoglyph look-alikes in text or code to catch spoofing and hidden-instruction attacks.

Use How to Use for execution steps and FAQ for constraints, policies, and edge cases.

Last updated:

This tool is provided as-is for convenience. Output should be verified before use in any production or critical context.

Agent Invocation

Best Path For Builders

Browser workflow

Runs instantly in the browser with private local processing and copy/export-ready output.

Browser Workflow

This tool is optimized for instant in-browser execution with local data handling. Run it here and copy/export the output directly.

/homoglyph-detector/

For automation planning, fetch the canonical contract at /api/tool/homoglyph-detector.json.

How to Use Homoglyph & Invisible Character Detector

  1. 1

    Paste the text or code

    Drop a snippet, filename, URL, username, or prompt into the scan box. Use Load sample to see a string that already hides a zero-width space, a bidi override, and Cyrillic look-alikes.

  2. 2

    Read the findings

    Each suspicious character is grouped by category with its codepoint, Unicode name, occurrence count, and positions, so you can see exactly what was hidden and where.

  3. 3

    Inspect the highlighted view

    The rendered text marks every hit with a colored chip. Hover a chip to read its codepoint and name; invisible characters show their hex code and exotic spaces show as a dot.

  4. 4

    Copy the sanitized text

    Use Copy sanitized to grab a cleaned version with invisible and bidi characters stripped and homoglyphs mapped back to ASCII, ready to paste into your editor or ticket.

Frequently Asked Questions

What does this tool detect?
It scans for four risks: zero-width and invisible characters (U+200B–200D, U+2060, U+FEFF), bidirectional controls (U+202A–202E, U+2066–2069), non-ASCII whitespace like NBSP, and Cyrillic or Greek letters that imitate Latin ones.
What is a Trojan Source / bidi attack?
Bidirectional override characters reorder how text displays without changing how it is stored, so source code can read one way to a human and run another way to a compiler. The tool flags those controls so reviews are not fooled.
How does the sanitize output work?
Zero-width and bidi characters are removed, non-ASCII spaces become a normal ASCII space, and curated Cyrillic/Greek look-alikes are mapped to their Latin equivalent. The rest of the text is left untouched.
Is my text kept private?
Yes. Scanning, highlighting, and sanitizing all run in your browser with plain JavaScript. The text you paste is never uploaded or sent to any server.
Why would normal-looking text contain these characters?
They appear in copied web content, phishing domains, prompt-injection payloads, watermarked AI output, and spoofed usernames. Catching them prevents look-alike accounts and hidden instructions reaching your code or model.