MySQL's utf8 encoding does not support characters above U+FFFF. Using utf8 encoding and not removing characters above U+FFFF can be used to bypass input validation. You can for example use this to bypass minimum length requirement for thread title on Nette forum. See excellent presentation Hacking with Unicode for more practical examples.
Applications must either use utf8mb4 encoding (which supports full UTF-8) or remove all characters above U+FFFF. I think that Nette should support both approaches.
We should certainly allow removing characters above U+FFFF in RequestFactory and either make it default or change default encoding in Nette\Database to utf8mb4.
Note: utf8mb4 encoding is available since MySQL 5.5.3 (2010-03-24)
MySQL's
utf8encoding does not support characters above U+FFFF. Usingutf8encoding and not removing characters above U+FFFF can be used to bypass input validation. You can for example use this to bypass minimum length requirement for thread title on Nette forum. See excellent presentation Hacking with Unicode for more practical examples.Applications must either use
utf8mb4encoding (which supports full UTF-8) or remove all characters above U+FFFF. I think that Nette should support both approaches.We should certainly allow removing characters above U+FFFF in RequestFactory and either make it default or change default encoding in Nette\Database to
utf8mb4.Note: utf8mb4 encoding is available since MySQL 5.5.3 (2010-03-24)