Opened 17 years ago

Closed 17 years ago

#3409 closed (fixed)

PasswordInput that doesn't render value in newforms

Reported by: scott@… Owned by: Adrian Holovaty
Component: Forms Version: dev
Severity: Keywords: PasswordInput security widget
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The PasswordInput widget in newforms renders its value to html which means the password is in cleartext in the html. That's fine in some situations, but it's common for security to output an empty password field and have the user enter it again (e.g. if log in fails or registration form does not validate).

I suggest either:

A separate widget, e.g. PrivatePasswordInput, see widgets.diff

Or a parameter for the existing PasswordInput, see widgets2.diff

Attachments (3)

widgets.diff (576 bytes ) - added by scott@… 17 years ago.
widgets.py with PrivatePasswordInput
widgets2.diff (650 bytes ) - added by scott@… 17 years ago.
widgets.py with PasswordInput taking render_value param
password-input.diff (1.8 KB ) - added by scott@… 17 years ago.
Diff for PasswordInput widgets and forms tests

Download all attachments as: .zip

Change History (7)

by scott@…, 17 years ago

Attachment: widgets.diff added

widgets.py with PrivatePasswordInput

by scott@…, 17 years ago

Attachment: widgets2.diff added

widgets.py with PasswordInput taking render_value param

comment:1 by Adrian Holovaty, 17 years ago

Needs tests: set
Triage Stage: UnreviewedAccepted

Let's use the one with render_value -- widgets2.diff. Could you contribute some unit tests? As soon as those are in, this will be good to go.

by scott@…, 17 years ago

Attachment: password-input.diff added

Diff for PasswordInput widgets and forms tests

comment:2 by scott@…, 17 years ago

I have attached password-input.diff which contains the change to PasswordInput and some tests in regressiontests/forms (hope that's the right place).

comment:3 by Chris Beaven, 17 years ago

Needs tests: unset
Triage Stage: AcceptedReady for checkin

Thanks Scott - looks good.

comment:4 by Adrian Holovaty, 17 years ago

Resolution: fixed
Status: newclosed

(In [4523]) Fixed #3409 -- Added render_value argument to newforms PasswordInput. Thanks for the patch, scott@…

Note: See TracTickets for help on using tickets.
Back to Top