Actual behavior:

  • Create entity with field of type Secret
  • Create a form with input(u.password)
  • Visit form
  • Notice that “value=mysecretpassword”

Expected behavior:

  • The password should not be stored plaintext by default (instead of having to use .digest())
  • The password should not be sent back to the client ever
Submitted by Sverre Rabbelier on 26 February 2010 at 13:50

On 26 February 2010 at 14:21 Eelco Visser commented:

Workaround:

var p : Secret
form{ input(p) }
action("Save Password", action{ u.password := p.digest(); })

On 26 February 2010 at 14:25 Sverre Rabbelier commented:

That is the workaround that we’re currently using, but the system should of course be safe by default ;).


On 26 February 2010 at 14:44 Eelco Visser commented:

That’s why I called it a workaround

Log in to post comments