What are BiDi control characters?

They are invisible Unicode characters that change how surrounding text is laid out — left-to-right or right-to-left. Examples include RLO (U+202E), LRE (U+202A), LRI (U+2066) and PDF (U+202C). They are legitimate for mixing Arabic or Hebrew with Latin text but can be abused to hide or reorder content.

What is the Trojan Source attack?

Trojan Source (CVE-2021-42574) uses BiDi overrides to make source code or a filename render in a different order than it is stored, so a reviewer sees safe-looking code while the compiler runs something else. This tool surfaces those hidden characters.

How does a filename spoof work?

An RLO character before, say, gpj.exe makes it display as exe.jpg, so a victim thinks they are opening an image when it is really an executable. The inspector reveals the override so the real extension is visible.

Is anything uploaded?

No. The scan runs in JavaScript in your browser against a fixed list of bidirectional control code points. Your text never leaves the page.

Will normal text ever be flagged?

Only if it genuinely contains bidirectional control characters. Plain Latin text, and even ordinary Arabic or Hebrew without explicit overrides, produces no flags.

BiDi / RTL Text Inspector

Expose invisible reordering characters

Unicode has a set of bidirectional (BiDi) control characters that silently change the visual order of text — essential for mixing right-to-left scripts like Arabic and Hebrew with left-to-right Latin, but dangerous when abused. A single Right-to-Left Override (U+202E) can make gpj.exe display as exe.jpg, or make source code render differently from how it is stored (the “Trojan Source” attack). This inspector finds every such character, names it, and shows where it sits.

How it works

The tool scans the input code point by code point and checks each against the complete set of Unicode bidirectional formatting and override controls: LRM U+200E, RLM U+200F, ALM U+061C, LRE U+202A, RLE U+202B, PDF U+202C, LRO U+202D, RLO U+202E, and the isolates LRI U+2066, RLI U+2067, FSI U+2068, PDI U+2069. Each match is reported with its standard name, its U+XXXX value and its index in the string. The inline view replaces each control with a visible labelled marker so you can see exactly where the reordering is injected, and a “stripped” output removes them all.

Example

A filename stored as invoice‮gpj.exe (with an RLO before gpj.exe) renders to the eye as invoiceexe.jpg. The inspector flags one character — RLO (U+202E) at the override position — making it obvious the file is really a .exe.

Tips and notes

Code hosting platforms now warn about BiDi characters in diffs; this tool lets you check a snippet or filename before you trust it.
The PDF (U+202C) and PDI (U+2069) characters close an override or isolate; an unbalanced override with no matching close is a strong red flag.