#45 Edit field for Secret type includes original password in field (project WebDSL on YellowGrass.org)

Actual behavior:

Create entity with field of type Secret

Create a form with input(u.password)

Visit form

Notice that “value=mysecretpassword”

Expected behavior:

The password should not be stored plaintext by default (instead of having to use .digest())

The password should not be sent back to the client ever

Submitted by Sverre Rabbelier on 26 February 2010 at 13:50

improvement@dannygroenewegen

On 26 February 2010 at 14:21 Eelco Visser commented:

Workaround:

var p : Secret
form{ input(p) }
action("Save Password", action{ u.password := p.digest(); })

On 26 February 2010 at 14:25 Sverre Rabbelier commented:

That is the workaround that we’re currently using, but the system should of course be safe by default ;).

On 26 February 2010 at 14:44 Eelco Visser commented:

That’s why I called it a workaround

Log in to post comments

Edit field for Secret type includes original password in field

Issue Log