You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Alastair Maw (JIRA)" <ji...@apache.org> on 2007/06/18 06:49:26 UTC
[jira] Resolved: (WICKET-591) SignInPanel is not returning raw
input
[ https://issues.apache.org/jira/browse/WICKET-591?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alastair Maw resolved WICKET-591.
---------------------------------
Resolution: Fixed
Fix Version/s: (was: 1.3.0-beta3)
1.3.0-beta2
Assignee: Alastair Maw
I don't expect the password returned to be HTML or SQL escaped - it's nonsense to mess with the input like that. This is fixed in trunk (r548209).
> SignInPanel is not returning raw input
> --------------------------------------
>
> Key: WICKET-591
> URL: https://issues.apache.org/jira/browse/WICKET-591
> Project: Wicket
> Issue Type: Bug
> Components: wicket-auth-roles
> Affects Versions: 1.2.6
> Environment: All
> Reporter: Holger Szillat
> Assignee: Alastair Maw
> Priority: Trivial
> Fix For: 1.3.0-beta2
>
>
> The SignInPanel's getPassword()-method is returning the password via "password.getModelObjectAsString();". This will filter any "special" characters like !,$, or & from the input. For (strong?) passwords this may not be desirable. (See also http://cwiki.apache.org/WICKET/validating-passwordtextfield.html)
> I fixed this by returning "password.getInput();" from the method, although this may introduce other security-problems like SQL-injection.
> Maybe a flag would be better solution?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.