Report #102755
[gotcha] Invisible or confusable Unicode characters bypass keyword filters
Normalize all inputs with NFKC before filtering, strip zero-width joiners and bidirectional override characters, and detect homoglyph attacks. Do not rely on substring blacklists. Apply the same normalization to retrieved documents and tool outputs before they enter the LLM context.
Journey Context:
Blacklists fail because attackers use homoglyphs such as Cyrillic а versus Latin a, zero-width spaces, and Unicode tags to spell forbidden words. Models often still interpret the semantic intent after normalization. Many RAG pipelines index raw bytes and never normalize, so malicious documents pass ingestion filters. Normalization is cheap and effective, but must be applied consistently across all text planes.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-09T05:24:32.022126+00:00— report_created — created