win3zz/README.md

Created January 31, 2026 15:30

Star (0) You must be signed in to star a gist
Fork (0) You must be signed in to fork a gist

Select an option

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/win3zz/b184c28d7c3c3294ac08350929ce5c68.js"></script>
Save win3zz/b184c28d7c3c3294ac08350929ce5c68 to your computer and use it in GitHub Desktop.

Download ZIP

WTF Programming Quirks Master Sheet

Raw

Weird, surprising, sometimes scary language/parser/compiler quirks across major programming languages.

1. Unicode Escape Shenanigans

Language	Example	What Happens	Impact
Java	`// \u000d System.out.println("exec");`	Unicode processed before comment → newline injected → code runs	Comment-bypass, hidden payload
JS/TS	`var a\uFF0Eb = 1;`	Fullwidth dot makes variable look like `a.b`	Identifier spoofing
Python	`print("x")` (EN QUAD)	Invisible indentation → syntax changes	Hidden code flow
Go/Rust	`var рassword` (Cyrillic р)	Identifiers look identical	Code review deception

2. Invisible Control Characters

Language	Example	Effect	Impact
JS	`\u202E` (RTL override) inside string or comment	Reverses visual appearance of code	“Trojan source” attacks
C/C++	`\f`, `\v` inside macros	Changes macro expansion shape	Macro injection bugs
Python	`\x0c` (form feed)	Acts as whitespace	Structural ambiguity

3. Comment Boundary Confusion

Language	Example	Effect	Impact
Java	`/* */` + Unicode newline injection	Comment ends unexpectedly	Hidden logic
C	Trigraph `??/` becomes `\`	Escapes newline → breaks comment	Code execution inside blocked code
JS	HTML-style comments `<!--`	Old engines treat as comment	XSS filter bypass

4. Encoding-Dependent Behavior

Vector	Example	Effect	Impact
UTF-7 XSS	`+ADw-script+AD4-`	Browsers in UTF-7 decode `<script>`	Bypass HTML sanitizers
Shift-JIS	`%5C%5C`	`\` byte ends multibyte char	WAF bypass, path manipulation
Mixed Normalization	`å` vs `a\u030A`	Canonicalization mismatch	Authentication bypass

5. Parser Precedence Nightmares

Language	Example	Effect	Impact
PHP	`${${'_GET'}['cmd']}`	Variable variables → arbitrary execution	RCE in poorly validated PHP
JavaScript	`[] == ![]` → true	Type coercion insanity	Logic bugs, bypass conditions
Python	`True == 1` → true	Boolean algebra oddities	Input validation mistakes

6. Dangerous Legacy Features

Language	Example	Effect	Impact
C	Trigraphs: `??=` → `#`	Preprocessor turns weird sequences into directives	Security-critical macros changed
Perl	Bareword filehandles	Strings evaluated as identifiers	Unintended IO operations
PHP	Magic quotes, register_globals	Auto-created variables	Classic vuln scenarios

7. Multi-Stage Interpretation

Vector	Example	Effect	Impact
Bash	`eval "$(cat file)"`	Two interpretation layers	Injection multiplier
JS in JSON	`{"x": "</script><script>alert(1)"}`	JSON inside HTML breaks out	Stored XSS
SQL inside PHP	`$a="${b[$_GET[c]]}"`	PHP array → SQL → code	Chain vulnerabilities

8. Polyglot File Tricks

Type	Polyglot	Why it works	Impact
ZIP + PNG	ZIP EOCD at end of PNG	Both formats ignore trailing data	Format confusion
JS + JSON	`/* JSON */ {"x":1} // JS`	JS ignores JSON comments	Evasion
PDF + JS	JS inside PDF streams	Adobe executes it	Malware delivery

9. Whitespace Manipulation

Language	Example	Effect	Impact
Python	Mix of TAB + SPACE	IndentationError only at runtime	Hard-to-review logic
YAML	TABs in place of spaces	Different parsers behave differently	Config injection
Golang	`//line file.go:10`	Compiler directive	Fake filenames/lines

10. Hidden Runtime Directives Inside Comments

Language	Comment Magic	Behavior	Impact
TypeScript	`// @ts-ignore`	Compiler ignores error	Security logic unnoticed
C#	`#pragma warning disable`	Disables warnings	Audit bypass
PHP	`/* @noinspection */`	JetBrains suppresses errors	IDE trust issues

11. Template Engine Escape Oddities

Engine	Example	What Happens	Impact
Jinja2	`{{ config.items() }}`	Exposes internals	SSTI
Mustache	`{{{ triple-brace }}}`	Raw HTML output	XSS risk
Handlebars	`{{lookup . "key"}}`	Runtime evaluation	Logic injection

12. Runtime Redefinition & Monkey-Patching

Language	Example	Danger
Python	`int = lambda x: x`	Redefine builtins	Subtle breakage
Ruby	`class String; def hi; end; end`	Modify core classes	Supply-chain traps
JS	`Object.prototype.toString = ...`	Global behaviour shift	Sandbox escape surface

13. Configuration File Weirdness

Format	Example	Issue
INI	`key: value`	Some parsers read both `=` and `:`	Misinterpretation
YAML	`!!js/function > alert(1)`	Node YAML libs execute JS	RCE
Dockerfile	Trailing slash in COPY	Changes build context	Supply-chain bugs

14. Browser/Scripting Historical Quirks

Vector	Example	Effect
IE Conditional Comments	`<!--[if IE]>`	Code executed only in IE
JS Automatic Semicolon Insertion	`return\n{x:1}`	Returns undefined
CSS Escaping	`content: "\000026";`	Hidden characters

15. Fuzzing Target Oddities

These are things that mutate interestingly:

Vector	Mutation Target	Weird Behavior
JS Engines	Proxy traps	Can intercept almost everything
Python	`__getitem__` returning code	Yields weird eval chains
C Compilers	UB (undefined behaviour)	Compilers optimize away security checks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment