By B. Greenway · ThinkWell Labs · twl.today

The zero-width space was added to Unicode 1.1 in 1993 to solve a problem that did not exist in English. Asian scripts — Chinese, Japanese, Thai, Khmer — write words without separating them with visible spaces, so a line-break engine has no obvious place to wrap a line. ZWSP, code point U+200B, was the typographic answer: an invisible character that signals to a renderer where a line break is permitted, but adds no visible gap and no extra width to the rendered text. It is, by specification, semantically empty and visually absent.

Thirty-three years later, “semantically empty and visually absent” describes the perfect carrier for content the writer does not want the reader to see.

The family

The zero-width characters are not one code point but a small family with overlapping behavior and very different histories.

U+200B ZERO WIDTH SPACE — the line-break marker, 1993. U+200C ZERO WIDTH NON-JOINER — also 1993, prevents ligature formation in scripts like Persian and Urdu where joining behavior is contextual. U+200D ZERO WIDTH JOINER — also 1993, forces joining; used heavily in modern emoji sequences and in Devanagari for half-letter forms. U+FEFF BYTE ORDER MARK — originally a stream-direction marker, also pressed into service as “zero-width no-break space” until that role was formally withdrawn in Unicode 3.2 in 2002 and replaced by U+2060. U+2060 WORD JOINER — the explicit “do not break here” character that took over the deprecated mid-stream use of U+FEFF. U+180E MONGOLIAN VOWEL SEPARATOR — historically zero-width, reclassified in Unicode 6.3 in 2013 to have visible width in some contexts but still treated as invisible by many systems that have not updated their tables.

Each was added to handle a real typographic or linguistic problem. None of them was added to carry data. All of them now do.

The legitimate-use trap

This is what makes the zero-width family harder to handle than the Plane 14 Tags block. Plane 14 was deprecated in 2008. No production system has used it for its original purpose in nearly two decades. Strip it from any text stream and nothing legitimate breaks.

The zero-width characters are still in active legitimate use across a meaningful slice of the world’s writing systems. Strip them blanket and you break:

  • Every multi-codepoint emoji that uses ZWJ to combine glyphs into a single rendered character.
  • Every word of Persian, Urdu, or Pashto rendered with ZWNJ where ligature suppression is grammatically required.
  • Every Devanagari half-letter formed with ZWJ.
  • Line-break opportunities in Chinese, Japanese, Thai, Khmer, and other scripts that do not separate words with visible spaces.
  • The byte-order signal at the start of UTF-encoded files, where U+FEFF still serves its original role.

A sanitizer that strips zero-width characters indiscriminately is broken for a meaningful slice of the world’s text. A sanitizer that does not strip them is broken for a different slice — the slice where invisible payloads ride into trusted contexts.

The right answer is contextual. ZWJ between two emoji code points is legitimate; ZWJ between two Latin letters is not. ZWSP between a Chinese character and a Latin word is legitimate; ZWSP inside the middle of an English word is not. The rules are not difficult to write, but they have to actually be written. Most sanitizers do not write them.

What gets carried

Zero-width characters carry data in three distinct ways, each with its own production track record.

Watermarking. Insert one ZWSP at the end of paragraph one, two ZWSPs at the end of paragraph two, three at paragraph three. The pattern encodes an identifier — a customer number, a document version, a user ID. The text reads identically to every recipient; the watermark is unique per copy. Leaked documents trace back to the leaker. Several enterprise document-management systems offer a variant of this technique as a feature, sold under the banner of leak-resistance. Anyone who copies a watermarked passage and pastes it elsewhere carries the identifier with them.

Bit-level steganography. Treat the presence or absence of a ZWSP at predictable positions as a binary signal. One hundred words of cover text can carry roughly one hundred bits of hidden payload. The technique is not new — academic work on whitespace steganography dates to at least the late 1990s — but it survives every visual review, every spell checker, and most automated content scanners. The cover text needs no modification beyond the inserted invisibles; the meaning of the visible content is preserved exactly.

Tokenization disruption. This is the failure mode that matters most for AI workflows. A ZWSP inserted between letters of a word causes most tokenizers to split the word into pieces it would not otherwise split. A model trained on the unsplit word sees a token sequence it has rarely or never seen. This is the technical core of the wave of “AI text humanizer” tools that surfaced through 2024 and 2025: insert zero-width characters between letters until the perplexity signature of the text no longer matches what a detector expects from a model. The visible English is unchanged. The underlying byte stream is altered to evade classification.

The same mechanism, with a slightly different payload pattern, hides instruction markers. A prompt-injection attack does not need Plane 14 tag characters to evade visual review. A ZWSP-bracketed phrase in the middle of an otherwise innocuous paragraph can mark a region of text that a model parses differently from how a human reader expects it to be parsed.

Where this lands in production

Zero-width characters arrive in your text from sources you cannot fully audit:

  • Marketing copy from CMS systems that insert ZWSP for hyphenation control.
  • AI-generated content from “humanizer” wrappers that inject ZWSP between letters to evade detection.
  • Email signatures, particularly from corporate templates that include zero-width no-break space for line-break suppression in long titles and addresses.
  • Documents exported from word processors that preserve invisible artifacts from earlier edits.
  • Pasted citations and bibliography entries from reference managers.
  • Anything copied from a paywalled or watermarked source.

Each of these is benign in isolation. Each carries a different invisible layer the recipient cannot see. When the recipient pastes the text into a language model — for a summary, a translation, a rewrite, a code generation, a customer-support response — the model receives the full byte sequence: the visible content plus every accumulated zero-width artifact from every prior stage of the document’s history.

The model does not know which artifacts are legitimate typographic markers and which are smuggled payloads. The user does not know they are there at all.

What does not work

Three common approaches fall short.

NFKC normalization preserves zero-width characters because they are already in canonical form. The Unicode normalization forms — NFC, NFD, NFKC, NFKD — were designed to handle composed-versus-decomposed equivalence and compatibility decomposition. They were not designed to remove invisible payload carriers. Running normalization on a string containing ZWSP returns a string containing ZWSP.

Regex-based stripping of [\u200B-\u200D] removes all three primary members of the family without distinguishing legitimate from illegitimate use. It breaks emoji ZWJ sequences, breaks Persian and Urdu ligature suppression, breaks Devanagari rendering, and breaks Chinese, Japanese, and Thai line-break opportunities. It also misses U+FEFF, U+2060, and U+180E, all of which carry the same risk profile.

Whitespace collapse — replacing runs of whitespace with single spaces — does not touch zero-width characters at all. They are not whitespace; they have no width to collapse. The Unicode property White_Space is false for every member of the zero-width family.

What does work

Context-aware sanitization. Strip ZWSP between Latin letters but preserve it between scripts that legitimately use it. Strip ZWJ between non-emoji codepoints but preserve it within emoji sequences and within the scripts that depend on it. Strip U+FEFF in mid-stream positions but preserve it at the start of UTF-encoded files where it serves as a byte-order signal. Strip U+2060 in any context where word joining is not semantically required. Surface every finding by code point and class, with a severity rating that reflects the context, not just the codepoint.

This is the work AcePaste Cleaner Pro does on every paste. Each zero-width character is inspected in the context of the characters surrounding it. Latin-script context with mid-word ZWSP: stripped, flagged. Emoji sequence with ZWJ: preserved, noted. Persian word with ZWNJ between letters that require disjoining: preserved. The cleaning report tells you what was there, what was removed, what was kept, and why.

The standing problem

Zero-width characters are not going away. They are required infrastructure for a large fraction of human written language. They will continue to appear in legitimate content. They will continue to be available as carriers for watermarks, steganographic payloads, and injection markers, because their fundamental property — semantically present and visually absent — is the same property that makes them useful for both purposes. The defense cannot be at the character layer alone, because the character layer cannot tell legitimate from illegitimate use without context.

The defense has to live at the boundary between untrusted text and trusted context. The clipboard, the paste, the moment text crosses from one application that may not have checked it into another application that will treat it as input. Strip there, with context, or accept that everything downstream is processing bytes the user did not see.

This is the third post in our series on invisible Unicode as security surface. The pillar essay is The Invisible Text You’re Pasting Into Your LLM; the second post was Plane 14 Was Supposed to Tag Languages. It Smuggles Instructions Instead. The next post examines bidirectional override characters and what the Trojan Source CVE looks like when the target is an LLM rather than a compiler.


I write, research, analyze, and build systems at twl.today, with a focus on cognitive and technical attack surfaces in sociotechnical systems — the seams where human attention, machine processing, and invisible mechanisms diverge.

— B. Greenway