Despite being on a Unix-based OS, browsers seem to always use \r\n for the newline character in forms. Browsers count these characters as a single character when using the maxlength attribute on <textareas> fields. However, the server-side validation counts \r\n as two characters.
This can result in edge-cases where a user is allowed (client-side) to enter a secret with a length greater than the max length as defined in the max_secret_length setting.
This PR replaces \r\n with \n in the secret text before counting the character length for validation purposes. This does not make any changes to line endings of the submitted secret. Thank you to @pgrungi for bringing this bug to my attention!
Despite being on a Unix-based OS, browsers seem to always use
\r\nfor the newline character in forms. Browsers count these characters as a single character when using themaxlengthattribute on<textareas>fields. However, the server-side validation counts\r\nas two characters.This can result in edge-cases where a user is allowed (client-side) to enter a secret with a length greater than the max length as defined in the
max_secret_lengthsetting.This PR replaces
\r\nwith\nin the secret text before counting the character length for validation purposes. This does not make any changes to line endings of the submitted secret. Thank you to @pgrungi for bringing this bug to my attention!Resolves: #62