Update (2020-04-29): Twitter has fixed their oversight.
{
"errors": [{
"code": 356,
"message": "preferences.gender_preferences.gender_override: Must provide a non-empty custom value 30 characters or less in length."
}]
}
Anyone who set their custom gender to a long volume of text, should still have it set to a long volume of text.
The original article follows after the separator.
I was recently made aware of a change to Twitter, which exposes a new Gender field. If you’ve never specified your gender before, they guessed what it was (which is a really shitty thing to do, especially towards trans folks!).
Slightly annoyed, I went to go see what Twitter thinks my gender is.

Curses! They know I’m a guy. This won’t do at all.

But what’s this? An “Add your gender” option?

That’s at least, something, I guess? Defaulting to [whatever the algorithm guesses] is sucky, but at least nonbinary folks can still self-identify however they want.
But 30 characters isn’t a lot. What if I want to drop in, say, 68 characters? Do I need to do some crazy Unicode fuckery to pull that off?

Nope, Inspect Element + set maxlength="255"
and now Twitter thinks my gender is the EICAR test file. Wonderful!
Which means: If someone downloads my Twitter data without my consent onto a workstation running antivirus software, the file will delete itself and all will be right in the marketing world.
(Okay but seriously, a lot of downstream systemic failures would have to exist for any damage to occur from me deciding to self-identify to marketers this way.)
Lessons to Learn
Twitter enforced a maxlength of 30 in the HTML element of the “Add your gender” text input, but they didn’t enforce this requirement server-side. The takeaway here is pretty obvious.
Also, don’t try to automatically guess people’s gender at scale. It’s insulting when you get it wrong, and it’s creepy when you get it right.

What’s the Upper Limit for the Field?
I don’t know, but this indicates it has a larger upper bound than a tweet.
If anyone has success dropping an entire thesis on gender identity and culture in the Gender field, let me know.
Update: The Best Genders
Everyone is having a lot of fun with the Gender field. Here’s some of the best tweets I’ve seen since publishing this stupid bug.
https://twitter.com/hedgehog_emoji/status/1254650551473594368
A fox in Furry Technologists suggested building genderfs, which is a lot like redditfs but hoists the entire filesystem into the Gender field.
While I have your attention, trans rights are human rights and biology disagrees with the simple notion of “two sexes”. Thank you and good night.
5 replies on “Why Server-Side Input Validation Matters”
[…] submitted by /u/Soatok [link] [comments]Post […]
[…] One against Twitter’s Gender field […]
[…] they’re even worse at system design, as evidenced by the Twitter gender fiasco in 2020, where people trivially bypassed the 30 character gender limit to store, among other things, the […]
[…] you only enforce input validation on the client-side, modestly clever people will completely disregard your requirements. This happened to Twitter! (See linked […]
[…] first real blog post here was about how, in April 2020, you could bypass Twitter’s client-side validation to make your Gender field hold a megabyte of data. This was publicly disclosed and widely exploited by trans people in protest of being misgendered […]