vojtech-dobes
commented
11 years ago What is real benefit of doing that? Can you me point to some article or something?
Closed uestla closed 10 years ago
vojtech-dobes
commented
11 years ago What is real benefit of doing that? Can you me point to some article or something?
vojtech-dobes
commented
10 years ago ping @uestla
fprochazka
commented
10 years ago After you send a form, Nette is removing it's values because it's unsafe to send the password both ways.
On the other hand, when you send the form using ajax, there is no need to send back the snippet with entire form's HTML. So there is no need to reset the value.
I strongly advise you not to merge this. I would hate to have to maintain my own fork.
hrach
commented
10 years ago I strongly advise you not to merge this. I would hate to have to maintain my own fork.
trolling?
fprochazka
commented
10 years ago Nope. I wouldn't have made my own package, I would just keep rebasing it (just like I had to one time with my devel branch in my Nette fork), but that's annoying :)
fprochazka
commented
10 years ago @hrach Let's get back to the topic, you think the proposed change is a good idea?
hrach
commented
10 years ago @fprochazka I think that your last argument is quite (totally ;) irrelevant.
Password is quite dangerous value, it should be unreachable as soon as it's possible.
uestla
commented
10 years ago @fprochazka agreed, but I didn't mean to protect the input value from being stolen from HTML node, but to protect it by clearing it's value so that it's impossible to visually see how many characters the password consists of.
I agree on the other hand that it's quite non-standard (unfortunately?) behavior.
vojtech-dobes
commented
10 years ago I think the main disadvantage is, that when some server-side error occurs (I mean like form-error), user cannot easily resend the form, but must fill in the password second time. I have experienced this behavior on couple of sites and I usually write the password somewhere else and copy it for easy reinserting, which is in the end even worse from security point of view.
Nevertheless, this behavior can be very easily implemented as extension. If you change this pull to extension, I will merge it :) (separate extension in extensions directory).
fprochazka
commented
10 years ago @vojtech-dobes :+1:
rostenkowski
commented
10 years ago :-1:
fprochazka
commented
10 years ago @rostenkowski what? it's an extension
rostenkowski
commented
10 years ago Security trough obscurity.
vojtech-dobes
commented
10 years ago Security trough obscurity.
Yeah, that's why it wasn't merged :).
I saw this thing at typo3 backoffice login form and thought to myself it's a nice pseudo-security feature just to clear the password input (but send its value anyway) just after I hit Enter...