Hi guys,
Sorry about putting in a duplicate bug
(12908 = 12473) - I'll have to search Bugzilla
a bit more before hitting create next time... ;-)
I understand the security hole in client-side
Javascript checking password fields but I wrongly
assumed it would have the same validation as username.
In the example's WEB-INF/validation.xml,
the "password" field has exactly the same xml
configuration elements and values as "username"
but the resultant behaviour when running the
app is different...
Is it worth just dropping in the following
comment in WEB-INF/validation.xml ? -
<!-- NOTE: Form fields of password type are
NOT validated in Javascript as this is
a potential security hole -->
Perhaps the minlength/maxlength validation
of password should be removed altogether (for
security) for the example app? At present
it reposts the form with the same information
the Javascript alert window tells me - so
it still poses a risk to hackers.
This will save a Struts newbie (like myself)
seeing different behaviour for two fields which
have identical validation configuration in
WEB-INF/validation.xml.
Sorry if you think I am being pedantic but the
difference did strike me as odd on Sunday.
Thanks James H. for committing 12905.
Also thanks to Eddie B. for the tip about
attaching CVS diff -u's to bugs - I'll do
that in future aswell as emailing the dev list.
Jon.
__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
