DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12473>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12473 password fields are not validated using javscript (lengths) [EMAIL PROTECTED] changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |UNCONFIRMED Resolution|WONTFIX | ------- Additional Comments From [EMAIL PROTECTED] 2003-10-07 03:03 ------- Please read these comments carefully, and those of Giri Alwar. Currently, the max length is present in the html page if the field is marked a password field. So 1 of 2 things needs to happen. 1) The javascript tag needs to be modified not to generate javascript the includes the min field length for pasword fields. 2) The password field needs to be checked. Having the client side and server side behave differently, is kind of ugly. However, since the current default is not to check we normally wouldn't change the default from what Struts 1.1 release does. We can introduce a 'check' attribute for those people who do want to do this. This then adds a special attribute to the password tag that is not present in other tags. This is also ugly. Option 1 Would require the creation of either a: 'password' rule, 'server-only' rule, or adding an attribute to the validator-rule.xml file to say never check on client side 'and' don't generate javascript that would disclose any information about this field. However if the value is still checked on the server side then the validator will return a error message telling the hacker what the length is anyway. So option 1 is NOT an option. If users don't want the max/min length of a fields revealed then developers should not use the validator to inforce min/max. Instead they should use the business logic to return some cryptic message. Hence the behavior must change to be consistent. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
