An enormously useful list, I’ve used it several times, and it can often dig up some real nastiness if you haven’t been super careful.

This entry, by the way, is a fantastic little easter egg in the list: https://github.com/minimaxir/big-list-of-naughty-strings/blo...

No, seriously, wake up

That was creepy!

Very handy. My previous simple test-case was simply a selection from this well-known text-file which is simply a collection of somewhat uncommon unicode characters, usually used for rendering tests.

https://www.cl.cam.ac.uk/~mgk25/ucs/examples/UTF-8-demo.txt

But this set of strings is specifically designed to cause edge-case errors.

Also don't forget Spolsky's seminal "The Absolute Minimum Every Software Developer Absolutely, Positively Must Know About Unicode and Character Sets (No Excuses!)".

https://www.joelonsoftware.com/2003/10/08/the-absolute-minim...

It's also important to width-test fields. Never forget to make sure that WWWWWWWWWWWW doesn't cause weird application wrapping.

I used a system where the maximum length on the "new password" field in the change password form was longer than the password field in the login form.

The symptom was that I could login if I used my password manager browser plugin, but not if I pasted it from my password manager.

I have seen a windows app with a text field whose max character count was somehow determined by system font size - probably a crude way to make sure the entered text fits the hard-coded field size.

The problem was that this field was used to enter a 10-digit code, and as it turns out, on default Windows10 system, the fonts are set up so that this field only fit 8 of them. Oops! :)

I'd like to see how that App would work with me sitting here fonts cranked up to 175%. I've never heard of a setup like that though - it sounds like it'd be surprisingly intricate to actually configure.

Not fully related but you reminded me of this.

Around the time of AOL3 or early AOL4 someone found a user name exploit.

When making a new account, on the client side use winapi's EM_LIMITTEXT to bypass the max character limit on the input textbox. Enter one or two letters, a bunch of spaces, then some more letters.

The server side would truncate to the original length, leaving you with a one or two letter username, working around the 3+ requirement.

I maintained a system where we had unbounded password length... but only respected the first six characters of the password. (we did fix that).

Unix passwords worked that way for 8 characters for many years due to the crypt algorithm used.

IIRC VNC passwords are still like this.

Sounds like some banks I’ve heard of.

Discover (discover.com) currently has a similar bug where it'll allow me to login with my password, but will not accept the same password in the 'Change password' workflow as the old password, complaining about it being invalid. (shrug)

You're lucky they weren't different lengths in the backend. I've been bitten by that surprise one too many times (which is any number higher than zero)

The most ridiculous thing is the UI for setting the password even said "X-Y characters long, must include at least one..." but the login page could not support Y characters.

> one too many times (which is any number higher than zero)

Nitpick: if the number is higher than one, then it's at least two times too many.

Related (we do this at my work): https://en.wikipedia.org/wiki/Pseudolocalization

For finding bugs caused by unexpected inputs I also find property based testing very useful. For Python there is the excellent hypothesis library for doing that: https://hypothesis.readthedocs.io/en/latest/

Great resource! I usually use pangrams (holoalphabetic sentences like "The quick brown fox jumps over the lazy dog") to ensure that my code can handle all the alphabet characters for the languages that should be supported at the very minimum.