Trojan Source Detection

PromptShield detects Unicode bidirectional override characters that may cause text to appear differently from how it is actually interpreted.

These attacks are known as Trojan Source attacks.

Why this matters

Bidirectional (BIDI) control characters can manipulate visual ordering without changing logical ordering.

This allows attackers to hide instructions or code behavior that reviewers cannot easily see.

This is especially dangerous in:

The rendered text may look safe while the underlying text contains hidden logic.

PromptShield tracks BIDI control spans on a per-line basis.

It detects:

Each detection produces a single threat span.

Ignore ‮previous instructions

The hidden character changes how the text is displayed, potentially concealing instructions.

PromptShield monitors these Unicode characters:

BIDI override sequence

A matched PUSH → POP bidirectional override span was found.

This indicates text reordering behavior that may conceal instructions.

Severity: CRITICAL

Example diagnostic:

Bidirectional override characters detected (Trojan Source).
These characters can visually reorder text and mislead readers.

Unterminated BIDI

A PUSH control character was detected without a corresponding POP.

This is highly suspicious and may indicate an attempt to conceal text.

Severity: CRITICAL

Example diagnostic:

Unterminated bidirectional override sequence detected (Trojan Source).
This may cause visual and logical text order to differ.

Remove bidirectional control characters from prompts, templates, and source text.

If bidirectional text support is required, ensure control characters are:

PromptShield intentionally performs line-scoped detection for Trojan Source attacks.

This matches how visual deception typically occurs in:

Detection is deterministic and does not depend on rendering engines.

Trojan Source detection in PromptShield is similar to:

It protects against visual deception, not content correctness.