Invisible Delimiter for Strings in HTML

Question

I need a way to identify certain strings in HTML markup. I know what the strings are, but it is possible that they could be substrings of other strings in the document. To find them, I output a special delimiter character (currently using \032). On page load, we go through the HTML and record the location of the strings, and remove the delimiter.

Unfortunately, most browsers show the delimiter character until we can find and remove them all. I'd like to avoid that if possible. Is there a character or string that will be preserved in the HTML content (so a comment wont work) but wont be visible to the user? It also needs to be something that is fairly unlikely to appear next to a string, so something like   wouldn't work either.

EDIT: Sorry, I forgot to mention that the strings will be in attributes, so any sort of tag wont work.

Answer 1

The best thing that I shall like to insert, which is not visible on the browser, will be a pair of tags with some special id, like <span id="delimiter" class="Delimiter"></span>. This will not show up on the content, while this can be present in the doc. You don't need to remove them.

Answer 2

‌ - zero-width non-joiner (see http://htmlhelp.org/reference/html40/entities/special.html)

On the off chance that this already appears in your text, double it up (eg: ‌‌mytext‌‌

---

Edit in response to comment: works in Firefox 3. Note that you have to search for the Unicode value of the entity.

<html>
<body>
    <div id="test">
        This is a &zwnj;test
    </div>

    <script type="application/javascript">
        var myDiv = document.getElementById("test");
        var content = myDiv.innerHTML;
        var pos = content.indexOf("\u200C");
        alert(pos);
    </script>
</body>
</html>

Answer 3

You could use LTR marks. Is this for some sort of XSS testing? If so, this might be of interest: Taint support for PHP