Even though the current javascript mask validator ignores password fields the validation algorithm is still revealed since (in Struts) the javascript to call that validator with the appropriate regexp is still generated.
I also think that we shouldn't restrict what validation can be specified since whats a "good idea" to do (or not do) depends on the situation: 1) For "logon forms" I agree as little information as possible should be given and I would recommend that only two validation checks are made - a) a password must be entered (i.e. required) and b) the password entered must match that stored against the user. 2) For creating/changing a password its a different matter, since if there are rules such as minimum/maximum lengths or a particular regexp validation algorithm - then the user needs to be told what the rules are if they enter an invalid password and I don't see a problem with having javascript validations for this. IMO we should remove any restrictions on password validations and just provide some "best practice" advice. Niall ----- Original Message ----- From: "David Graham" <[EMAIL PROTECTED]> To: "Jakarta Commons Users List" <[email protected]> Sent: Wednesday, January 12, 2005 8:56 PM Subject: Re: [commons-validator] Problems with Javascript mask validation..plz Help! > Revealing detailed validation algorithms for passwords on the client is a > security issue so validator does not allow it by default. Also, you > should be able to replace [a-zA-Z_0-9] with \w. > > David > > --- Matt Bathje <[EMAIL PROTECTED]> wrote: > > > Eric Giguere wrote: > > > Hi all > > > I have a problemes with the commons-validator 1.1.3 javascript > > > implementation for validating masks. > > > I tried to validate user name and password on a form. > > > > > > For testing purposes, I've set both fields with the same regexp in the > > > > > validation.xml file: > > > ^[a-zA-Z_0-9][a-zA-Z_0-9!^$&%]{5,14}$ > > > The username get validated ok but not the password. It is possible? Is > > > > > the fact that the control shows **** as data (password field) breaks > > the > > > validation? > > > > > > > > > The javascript side of the mask validation only works on fields with > > type hidden, text, textarea or file. > > > > > > Matt > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
