|Title:||Impossible to login in order to update a project with some passwords|
|Last Modified:||2016-11-03 16:59:28|
|Version Found In:|
anonymous added on 2016-10-05 09:21:26:
Hello, I've locked my project (https://freshcode.club/projects/jarr) with a password generated with my password manager (https://www.passwordstore.org). Then, I want to update the project (just to test) with this per-project password. So, I provide this password to the login box of the page (https://freshcode.club/login) and the login fails. I think this is because my generated password contains the character: " The part of the password to the left of the " character is still in the HTML input field. And the right part is displayed just above the "Save" button.
mario added on 2016-11-03 16:52:18: (text/x-fossil-wiki)
Now the password being incorrectly replayed is HTML escaping issue. However it was stored with the `"` intact. There's no filtering on the password input itself. It's been removed from the project entry for now.
mario added on 2016-11-03 16:59:28: (text/x-fossil-wiki)
Well, there is some filtering: $_REQUEST->ascii->nocontrol->trim["set_password"]; However that would just strip out control characters, nothing else. HTML escaping for password input has been fixed.