@sun Ah yes, proprietary data handling software that can't handle spaces or UTF-8 (in decent software you just memcpy the password into the format the salting and hashing function requires and such function doesn't care if it has spaces or multibyte characters it in).

That's a possible code injection vulnerability I reckon - you just need to bypass the client side checks.