Good article, Patrick. It is so easy to say "oh, those stupid/lazy/naive web-form programmers". But actually this is a fiendish problem to solve correctly - as your article demonstrates.

True, but accepting, say, 1-1000 arbitrary Unicode characters is a step in the right direction.

what's wrong with rejecting no characters and using escaping/encoding to avoid injection problems etc? that catches every possible edge case - even the ones I don't know yet.

the hard problem is validating the data - but you don't actually have to do it.