Opened 9 years ago

Closed 8 years ago

#3409 closed (fixed)

PasswordInput that doesn't render value in newforms

Reported by: scott@… Owned by: adrian
Component: Forms Version: master
Severity: Keywords: PasswordInput security widget
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

The PasswordInput widget in newforms renders its value to html which means the password is in cleartext in the html. That's fine in some situations, but it's common for security to output an empty password field and have the user enter it again (e.g. if log in fails or registration form does not validate).

I suggest either:

A separate widget, e.g. PrivatePasswordInput, see widgets.diff

Or a parameter for the existing PasswordInput, see widgets2.diff

Attachments (3)

widgets.diff (576 bytes) - added by scott@… 9 years ago.
widgets.py with PrivatePasswordInput
widgets2.diff (650 bytes) - added by scott@… 9 years ago.
widgets.py with PasswordInput taking render_value param
password-input.diff (1.8 KB) - added by scott@… 9 years ago.
Diff for PasswordInput widgets and forms tests

Download all attachments as: .zip

Change History (7)

Changed 9 years ago by scott@…

widgets.py with PrivatePasswordInput

Changed 9 years ago by scott@…

widgets.py with PasswordInput taking render_value param

comment:1 Changed 9 years ago by adrian

  • Needs documentation unset
  • Needs tests set
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Accepted

Let's use the one with render_value -- widgets2.diff. Could you contribute some unit tests? As soon as those are in, this will be good to go.

Changed 9 years ago by scott@…

Diff for PasswordInput widgets and forms tests

comment:2 Changed 9 years ago by scott@…

I have attached password-input.diff which contains the change to PasswordInput and some tests in regressiontests/forms (hope that's the right place).

comment:3 Changed 9 years ago by SmileyChris

  • Needs tests unset
  • Triage Stage changed from Accepted to Ready for checkin

Thanks Scott - looks good.

comment:4 Changed 8 years ago by adrian

  • Resolution set to fixed
  • Status changed from new to closed

(In [4523]) Fixed #3409 -- Added render_value argument to newforms PasswordInput. Thanks for the patch, scott@…

Note: See TracTickets for help on using tickets.
Back to Top