Spoofchecker does NOT recognize zero-width spaces

[D3strukt0r]

Description

https://3v4l.org/9dMTh#v8.4.14

I found out about this when using the Symfony NoSuspiciousCharacters validator, and the example code is a reproduction of all steps during debugging

https://symfony.com/doc/current/reference/constraints/NoSuspiciousCharacters.html

https://github.com/symfony/symfony/blob/7.3/src/Symfony/Component/Validator/Constraints/NoSuspiciousCharactersValidator.php

The following code:

<?php

$values = [
    "Zero Width Space" => "MaxMustermann",
    "Zero Width Space" => "Max\u{200B}Mustermann",
    "Zero Width Non-Joiner" => "Max\u{200C}Mustermann",
    "Zero Width Joiner" => "Max\u{200D}Mustermann",
    "Zero Width No-Break Space" => "Max\u{FEFF}Mustermann",
];

$checker = new \Spoofchecker();

$checks = \Spoofchecker::INVISIBLE | \Spoofchecker::MIXED_NUMBERS | \Spoofchecker::HIDDEN_OVERLAY;
$checks |= \Spoofchecker::SINGLE_SCRIPT;

$checker->setRestrictionLevel(\Spoofchecker::MODERATELY_RESTRICTIVE);
$checker->setAllowedLocales('de,fr,it');
$checker->setChecks($checks);

foreach ($values as $check => $value) {
    echo $check."\n";
    var_dump(preg_match('/[\x{200B}\x{200C}\x{200D}\x{FEFF}\x{2060}\x{2061}\x{2062}\x{2063}\x{2064}]/u', $value));
    var_dump($checker->isSuspicious($value, $errorCode));
    var_dump($errorCode);
    echo "\n";
}

Resulted in this output:

Zero Width Space
int(1)
bool(false)
int(0)

Zero Width Non-Joiner
int(1)
bool(false)
int(0)

Zero Width Joiner
int(1)
bool(false)
int(0)

Zero Width No-Break Space
int(1)
bool(false)
int(0)

But I expected this output instead:

Zero Width Space
int(1)
bool(true)
int(1) (no idea)

Zero Width Non-Joiner
int(1)
bool(true)
int(1) (no idea)

Zero Width Joiner
int(1)
bool(true)
int(1) (no idea)

Zero Width No-Break Space
int(1)
bool(true)
int(1) (no idea)

symfony/symfony#62338

PHP Version

PHP 8.4.14 (cli) (built: Oct 24 2025 19:15:19) (NTS)
Copyright (c) The PHP Group
Built by https://github.com/docker-library/php
Zend Engine v4.4.14, Copyright (c) Zend Technologies
    with Zend OPcache v8.4.14, Copyright (c), by Zend Technologies
    with Xdebug v3.4.7, Copyright (c) 2002-2025, by Derick Rethans

ICU v72.1

Operating System

No response

[devnexen]

So yes at the moment spoofchecker only check the useful bitmask result on error.

[devnexen]

I m not sure icu itself can recognize these, actually trying directly the C++ api and still considers the inputs as truthful. Will keep digging the rest of the api..

[D3strukt0r]

Here's more info @MatTheCat shared

May be related to https://unicode-org.atlassian.net/browse/ICU-13689 since INVISIBLE is working in other cases: https://3v4l.org/UIrpM#v8.4.14

Also, in case we need to open a ticket for ICU, here are some links:

https://icu.unicode.org/bugs

https://unicode-org.atlassian.net/jira/software/c/projects/ICU/issues/

[justin-oh]

Just noting that it's still not flagging the zero-width space character.