The spellchecker tests the UTF-8 capabilities of the used browser
by sending an UTF-8 string to the backend, which will send it back
unfiltered. By comparing string length the spellchecker can work
around broken implementations. An attacker could construct a form to
Affected are all versions up to and including 2007-06-26 even when
the spell checker is disabled.