My bet there is that the client-side validation is counting octets, whereas the server, being Unicode-aware, is counting characters, and coming up with a different result.
1 Like
Characters in that codeblock (and indeed all of U+1xxxx) are four-octets long in UTF-8. I donât know what itâs counting, but Unicode 7/Unicode 8 issues (like amphora) could be in play.
Taking the string " 
" as an example, javascript says
"đ".length = 2
and Ruby says
"đ".length = 1
Which is the correct implementation here? @codinghorror's blog post says:
because itâs nice and simple for users. So is one character. That sounds reasonable to me.
However⊠the blog also says
This is indeed true of the Discourse password fields - one emoji = 2 characters. So if itâs showing as 2 characters in the password field, surely that should count as 2 characters in a password 
On a related note, it is currently very difficult to type emojis directly into html password inputs - you can only copy/paste them in. This is the case on Chrome on mac (using system emoji window), and also Safari on iOS (the emoji button doesnât even show up with the password field focused). So, as much as I try, I canât use 
as my password on Discourse (without cheating with copy/paste).
2 Likes
đ is four octets in UTF-8: Base64 visualizer
I have no idea why Javascript gets that count. (UTF-16?) But đ does show as âșâș in the password field of Discourse (for me).
3 Likes
A sentence with spaces - could be the best personal password choice
Iâm not sure a space would work. Itâs a control character and there might be some filters somewhere that wouldnât like it.
A space is absolutely fine, itâs just another character as far as a password is concerned. Try it here on meta - it works.
4 Likes
Testing again, now that I know my password manager is 
safe. The same thing happens now: enough emoji to get a green âokayâ is not enough to actually work. And as I tried longer and longer passwords, iteratively, it logged me out, I think on the third try. When I did successfully set it, to a 
emoji password, I still got a âyou have been logged outâ message flash by, but it didnât actually log me out.
Not sure if that log out thing is an emoji-specific bug or some sort of misguided (or at least unhelpful) feature. If it is a feature, please make the âyou have been logged outâ box explain why.
Yeah, this is due to Javascriptâs legacy causing it to mis-count the length of strings containing emoji (and other Astral Plane characters). The server counts the length correctly.
2 Likes