Dynalist is vulnerable to Zalgo



Steps to reproduce

Starting from scratch, what are the steps to make the bug happen? The fewer the steps, the better.

  1. Copy-paste Zalgo everywhere

Expected result

What do you expect to see after carrying out the steps above?

Lack of negative consequences like text bleed or slowness

Actual result

Instead of the expected result, what happened?

Text bleed is all over the place and Dynalist starts becoming unresponsive


Which operating system are you using? Which browser are you using? If you’re using a desktop or mobile app, what’s the version number of Dynalist?

Windows 8 x64 Chrome latest stable, however it happens everywhere.

Additional information

Anything else you think would help our investigation, like a screenshot or a log file? You can drag and drop screenshots to this box. For large amount of text, try putting them into something like Pastebin.

I pasted very little of it in fear of breaking my own Dynalist.

Additional comments

While this might not seem important, moderate zalgo-proofing should be done everywhere where there are collaboration features present. For an ok example see YouTube comments (try pasting something massive there).

To save a google search for anyone who doesn’t know how to create that - http://www.eeemo.net, among many others


Thanks for reporting. I have no idea how one would go around solving this though, @Shida?

Also @Dos have you tried other fonts, like “System”? (Not sure if this is related to fonts, just throwing out ideas)


No no, this behavior is sort of supposed to happen because it uses regular unicode capabilites, and the font doesn’t matter.

However it is possible to limit text bleed on other fields (example from youtube:
, and slowdown was weird and wasn’t supposed to happen.
Even opening file pane was slow.

Just to be clear - this is a very minor quirk. Very few sites protect against this.

ps. And to be extra-clear - this is definitely outside normal usage patterns :slight_smile:


Got it! Thanks for the clarification.

We’ll take a look at this when we have the bandwidth then. Thanks again!


I believe anyone trying this is probably not doing it maliciously, and thus it’s highly unlikely that it will affect other people. I’ve taken a quick look online but I have not found documentation on protection mechanisms.