When you set a max length on a form field or API, you expect it to hold. But what if a four-character string could secretly carry 10,000 extra bytes of invisible data, crashing your database or bypassing your validation? That was the vulnerability I found and fixed in the popular JavaScript library validator. It was a subtle bug involving Unicode Variation Selectors that allowed attackers to inject massive payloads while still passing length checks.

Project link: https://pagedout.institute/webview.php?issue=8&page=27&article=When+Zero%E2%80%91Width+Isn%E2%80%99t+Zero