-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hanno Schlichting wrote:
Removed _filterPasswordFields hack, preventing keys with the exact
key 'passw' to be filtered out in one place is just obscurity.
But you didn't de-obfuscate it, you ripped it out. Now, the response
view shows
2009/5/12 Tres Seaver tsea...@palladion.com:
The server side wouldn't know that: the presence of such a field in the
request is completely independent of any form (e.g., cookies passed long
after logging in).
I understand the issue, but shouldn't the remedy be to avoid ever
displaying request