Opened 18 years ago
Closed 18 years ago
#3409 closed (fixed)
PasswordInput that doesn't render value in newforms
| Reported by: | Owned by: | Adrian Holovaty | |
|---|---|---|---|
| Component: | Forms | Version: | dev |
| Severity: | Keywords: | PasswordInput security widget | |
| Cc: | Triage Stage: | Ready for checkin | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
The PasswordInput widget in newforms renders its value to html which means the password is in cleartext in the html. That's fine in some situations, but it's common for security to output an empty password field and have the user enter it again (e.g. if log in fails or registration form does not validate).
I suggest either:
A separate widget, e.g. PrivatePasswordInput, see widgets.diff
Or a parameter for the existing PasswordInput, see widgets2.diff
Attachments (3)
Change History (7)
by , 18 years ago
| Attachment: | widgets.diff added |
|---|
by , 18 years ago
| Attachment: | widgets2.diff added |
|---|
widgets.py with PasswordInput taking render_value param
comment:1 by , 18 years ago
| Needs tests: | set |
|---|---|
| Triage Stage: | Unreviewed → Accepted |
Let's use the one with render_value -- widgets2.diff. Could you contribute some unit tests? As soon as those are in, this will be good to go.
by , 18 years ago
| Attachment: | password-input.diff added |
|---|
Diff for PasswordInput widgets and forms tests
comment:2 by , 18 years ago
I have attached password-input.diff which contains the change to PasswordInput and some tests in regressiontests/forms (hope that's the right place).
comment:3 by , 18 years ago
| Needs tests: | unset |
|---|---|
| Triage Stage: | Accepted → Ready for checkin |
Thanks Scott - looks good.
comment:4 by , 18 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
widgets.py with PrivatePasswordInput