[
https://issues.apache.org/jira/browse/WICKET-591?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alastair Maw resolved WICKET-591.
---------------------------------
Resolution: Fixed
Fix Version/s: (was: 1.3.0-beta3)
1.3.0-beta2
Assignee: Alastair Maw
I don't expect the password returned to be HTML or SQL escaped - it's nonsense
to mess with the input like that. This is fixed in trunk (r548209).
> SignInPanel is not returning raw input
> --------------------------------------
>
> Key: WICKET-591
> URL: https://issues.apache.org/jira/browse/WICKET-591
> Project: Wicket
> Issue Type: Bug
> Components: wicket-auth-roles
> Affects Versions: 1.2.6
> Environment: All
> Reporter: Holger Szillat
> Assignee: Alastair Maw
> Priority: Trivial
> Fix For: 1.3.0-beta2
>
>
> The SignInPanel's getPassword()-method is returning the password via
> "password.getModelObjectAsString();". This will filter any "special"
> characters like !,$, or & from the input. For (strong?) passwords this may
> not be desirable. (See also
> http://cwiki.apache.org/WICKET/validating-passwordtextfield.html)
> I fixed this by returning "password.getInput();" from the method, although
> this may introduce other security-problems like SQL-injection.
> Maybe a flag would be better solution?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
