Security: allow removing characters above U+FFFF in RequestFactory

[JanTvrdik]

MySQL's utf8 encoding does not support characters above U+FFFF. Using utf8 encoding and not removing characters above U+FFFF can be used to bypass input validation. You can for example use this to bypass minimum length requirement for thread title on Nette forum. See excellent presentation Hacking with Unicode for more practical examples.

Applications must either use utf8mb4 encoding (which supports full UTF-8) or remove all characters above U+FFFF. I think that Nette should support both approaches.

We should certainly allow removing characters above U+FFFF in RequestFactory and either make it default or change default encoding in Nette\Database to utf8mb4.

---

Note: utf8mb4 encoding is available since MySQL 5.5.3 (2010-03-24)

[JanTvrdik]

@dg Any thoughts? What would you recommend to people who use Nette?

[dg]

utf8mb4 enabled, thx for suggestion nette/database@7988663

[dg]

	strict	nonstrict	note
names utf8, table utf8	error 1366	truncates string	for all < 5.5.3 users
names utf8mb4, table utf8	error 1366	replaces with ?	for nearly all >= 5.5.3 users
names utf8, table utf8mb4	error 1366	replaces with ????	fixed by nette/database@7988663

To remove characters on input is like magic quotes. It sould be solved on Database level, invalid character can be optionally converted to '?'.