DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12473>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12473 password fields are not validated using javscript (lengths) ------- Additional Comments From [EMAIL PROTECTED] 2003-10-07 03:38 ------- In thinking about this Option 1 and option 2 they are not exclusive, and can co exist. Currently Struts 1.1 users --are-- revealing their min/max lengths for all fields types including passwords to hackers. So a new bug report might need to be filed to fix this. Again this fix would probably require modifying the DTD for the validator to say drop the server side checks, for all or some of the rules, and MOST importantly don't generate the accompaning javascript. A second alternative would be to define a new rule, to prevent from modifying the DTD, which is a hack. Either approach would solve needs of both camps, since neither needs were are being met by Struts 1.1. However, I believe the best option is for users not to use the min/max length rules for passwords to start with and keep that logic in the Business logic. This would keep the javascript tag from becomming overly complicated. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
