Hi all I wanted to ask why Rails'' password_field helper uses the input password as default value when reloading a form because of errors? Isn''t this a potential security leak? On any other webs I''ve seen so far the password fields have to be filled in again after every reload of the site so the password doesn''t exist in plain text in the html code... What do you think about that? Greets, Josh -- Posted via http://www.ruby-forum.com/.
Questionable whether this should be a framework thing or controlled by the programmer. I think I would rather have control over it then have it imposed on me. Better yet, maybe a password field could recognize a :reset_on_error attribute or something similar. Submit a patch and see how it goes. Bob Silva> -----Original Message----- > From: rails-bounces@lists.rubyonrails.org [mailto:rails- > bounces@lists.rubyonrails.org] On Behalf Of Joshua Muheim > Sent: Tuesday, January 24, 2006 7:35 AM > To: rails@lists.rubyonrails.org > Subject: [Rails] Password fields and security? > > Hi all > > I wanted to ask why Rails'' password_field helper uses the input password > as default value when reloading a form because of errors? Isn''t this a > potential security leak? On any other webs I''ve seen so far the password > fields have to be filled in again after every reload of the site so the > password doesn''t exist in plain text in the html code... > > What do you think about that? > Greets, Josh > > -- > Posted via http://www.ruby-forum.com/. > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails
On 1/24/06, Bob Silva <me@bobsilva.com> wrote:> Questionable whether this should be a framework thing or controlled by the > programmer. I think I would rather have control over it then have it imposed > on me. Better yet, maybe a password field could recognize a :reset_on_error > attribute or something similar.For reference, the Struts tag html:password has an attribute called "redisplay" that defaults to true. Makes it easy for the developer to decide how he wants the field to behave, and seemed like a pretty simple solution. -- James
And a single line in the controller: self.password = '''' is less simple? -- -- Tom Mornini On Jan 24, 2006, at 8:39 AM, James Ludlow wrote:> On 1/24/06, Bob Silva <me@bobsilva.com> wrote: >> Questionable whether this should be a framework thing or >> controlled by the >> programmer. I think I would rather have control over it then have >> it imposed >> on me. Better yet, maybe a password field could recognize >> a :reset_on_error >> attribute or something similar. > > For reference, the Struts tag html:password has an attribute called > "redisplay" that defaults to true. Makes it easy for the developer to > decide how he wants the field to behave, and seemed like a pretty > simple solution. > > -- James > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails
On Jan 24, 2006, at 11:22 AM, Tom Mornini wrote:> And a single line in the controller: > > self.password = '''' > > is less simple?Oops, make that @object.password = '''' I hate it when I need to reply to myself. :-) -- -- Tom Mornini
On 1/24/06, Tom Mornini <tmornini@infomania.com> wrote:> On Jan 24, 2006, at 11:22 AM, Tom Mornini wrote: > > > And a single line in the controller: > > > > self.password = '''' > > > > is less simple? > > Oops, make that > > @object.password = '''' > > I hate it when I need to reply to myself. :-)Same level of simplicity. It just depends on whether or not you think that it belongs in the controller instead of the view. -- James