It's not really a bug, but we should definitely address this at some point.
All the built-in attributes in Flarum are not validated when received, but before they are saved to the database.
For the discussion title, this makes no difference to regular Laravel since it's just a text value.
The post content however is parsed and converted to XML using the TextFormatter library and it's the XML output that's actually validated by
PostValidator. A single space results in the XML payload
<t> </t> which passes the Laravel validation.
It makes sense to validate the XML output for length, because if the input is shorter than 65535 characters but the XML output is longer, the value would get corrupted once inserted in the database.
It would make sense to add a second validation rule that applies to the unparsed post content, then it could be used to ensure the post isn't empty or other Laravel-based validations.
Apart from the fixing the missing "not empty" check, providing such a validator could lead to bad developer practice, because adding validation rules that operate on the raw text input could break bbcode or markdown syntaxes. The best practice is to use the
Saving event and the XML-based methods to extract only the parts of the post that the extension needs to validate, like plain text but not bbcode parameter names for example.