Opened 10 years ago

Closed 10 years ago

#3409 closed (fixed)

PasswordInput that doesn't render value in newforms

Reported by: scott@… Owned by: Adrian Holovaty
Component: Forms Version: master
Severity: Keywords: PasswordInput security widget
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

The PasswordInput widget in newforms renders its value to html which means the password is in cleartext in the html. That's fine in some situations, but it's common for security to output an empty password field and have the user enter it again (e.g. if log in fails or registration form does not validate).

I suggest either:

A separate widget, e.g. PrivatePasswordInput, see widgets.diff

Or a parameter for the existing PasswordInput, see widgets2.diff

Attachments (3)

widgets.diff (576 bytes) - added by scott@… 10 years ago.
widgets.py with PrivatePasswordInput
widgets2.diff (650 bytes) - added by scott@… 10 years ago.
widgets.py with PasswordInput taking render_value param
password-input.diff (1.8 KB) - added by scott@… 10 years ago.
Diff for PasswordInput widgets and forms tests

Download all attachments as: .zip

Change History (7)

Changed 10 years ago by scott@…

Attachment: widgets.diff added

widgets.py with PrivatePasswordInput

Changed 10 years ago by scott@…

Attachment: widgets2.diff added

widgets.py with PasswordInput taking render_value param

comment:1 Changed 10 years ago by Adrian Holovaty

Needs documentation: unset
Needs tests: set
Patch needs improvement: unset
Triage Stage: UnreviewedAccepted

Let's use the one with render_value -- widgets2.diff. Could you contribute some unit tests? As soon as those are in, this will be good to go.

Changed 10 years ago by scott@…

Attachment: password-input.diff added

Diff for PasswordInput widgets and forms tests

comment:2 Changed 10 years ago by scott@…

I have attached password-input.diff which contains the change to PasswordInput and some tests in regressiontests/forms (hope that's the right place).

comment:3 Changed 10 years ago by Chris Beaven

Needs tests: unset
Triage Stage: AcceptedReady for checkin

Thanks Scott - looks good.

comment:4 Changed 10 years ago by Adrian Holovaty

Resolution: fixed
Status: newclosed

(In [4523]) Fixed #3409 -- Added render_value argument to newforms PasswordInput. Thanks for the patch, scott@…

Note: See TracTickets for help on using tickets.
Back to Top