On a particular page in this application, we have a form which allows for a very select few to input data into it, because at the end of the day (and, well, event loop) we end up wrappping that input in to an eval which we highly sanitize and whitelist. This character however seems to bypass everything yet javascript seems to catch it with this error message
17:05:49.226 illegal character U+200B
So after looking into it, that is obviously the infamous Zero-width space character. Digging into it, it appears one of our users intentionally or accidently added it to the input field. I we are seeing it in a few different areas, can anyone help me understand what vector could be exploited, or what I should be looking for in regards to this? The resources i've found are here, but I can't seem to find anything directly relating to an exploit.
Ruby Talk VS Code Extension that helped track it down
You can clearly see it is inserted here:
Any advice / help would be appreciated, thanks in advance.