Comment by TacticalCoder

> In the example, username validation is a job of another layer. For example I want to make sure username is shorter than 60 characters, has no emojis or zalgo text, and yes, no null bytes, and return a proper error from the API. I don't want my JSON parsing to fail on completely different layer pre-validation.

Usernames are a bad examples. Because at the point you mention, you may as well only allow a subset of visible ASCII. Which a lot of sites do and that works perfectly fine.

But for stuff like family names you have to restrict so many thing otherwise you'll have little-bobby-zalgo-with-hangul-modifiers breaking havoc.

Unicode is the problem. And workarounds are sadly needed due to the clusterfuck that Unicode is.

Like TFA shows. Like any single homographic attack using Unicode characters shows.

If Unicode was good, it wouldn't regularly be frontpage of HN.