> "less" also shows all the non-printable characters Only if you pass -U.

theamk · on Nov 1, 2021

No. What "-U" does is (quoting manpage): "Causes backspaces, tabs and carriage returns to be treated as control characters;"

So even without -U, all non-printable characters except BS, CR, TAB will be shown in hexadecimal notation. The BS (backspace) will be used to defined underlining in the typewriter-style -- it is technically hidden character, but since most web-based apps do not support this, that will not make an efficient attack.

(the homoglyphs are harder... in default mode, "less" defines printable as "32-126"; in "utf-8" mode it uses unicode character database. And mode depends on system-wide locale, and often is utf-8 in modern systems, so you want "LANG= less file.py" to see homoglyphs.. on the other hand, that homoglyph attack will be detected by pretty much any linter)

jwilk · on Nov 1, 2021

What the man page says about the -U option is either super confusing or outright wrong.

You do need -U to make bidi formatting characters visible:

  $ less --version | head -n1
  less 551 (GNU regular expressions)

  $ locale charmap
  UTF-8

  $ printf 'a\342\200\216b\n' | less -F
  a‎b

  $ printf 'a\342\200\216b\n' | less -U -F
  a<U+200E>b