That sounds fine in theory, but I can't see how we could actually implement that in reality. When the validation javascript is being rendered there is no knowledge of whether the associated form field is a "password" type or not and just having the actual validators ignoring password fields isn't "shipping with secure best practice" if all the rules (min/max lengths, regular expressions etc) are still rendered in the javascript.
Niall ----- Original Message ----- From: "David Graham" <[EMAIL PROTECTED]> To: "Jakarta Commons Users List" <[email protected]> Sent: Thursday, January 13, 2005 8:35 PM Subject: Re: [commons-validator] Problems with Javascript mask validation..plz Help! > Even though you tell the user the password rules they still shouldn't be > able to see the details of how you're validating the password. I believe > validator should ship with the secure best practices implemented by > default and make the user enable/disable as they want. > > David > > --- Niall Pemberton <[EMAIL PROTECTED]> wrote: > > > Even though the current javascript mask validator ignores password > > fields > > the validation algorithm is still revealed since (in Struts) the > > javascript > > to call that validator with the appropriate regexp is still generated. > > > > I also think that we shouldn't restrict what validation can be specified > > since whats a "good idea" to do (or not do) depends on the situation: > > > > 1) For "logon forms" I agree as little information as possible should be > > given and I would recommend that only two validation checks are made - > > a) a > > password must be entered (i.e. required) and b) the password entered > > must > > match that stored against the user. > > > > 2) For creating/changing a password its a different matter, since if > > there > > are rules such as minimum/maximum lengths or a particular regexp > > validation > > algorithm - then the user needs to be told what the rules are if they > > enter > > an invalid password and I don't see a problem with having javascript > > validations for this. > > > > IMO we should remove any restrictions on password validations and just > > provide some "best practice" advice. > > > > Niall > > > > ----- Original Message ----- > > From: "David Graham" <[EMAIL PROTECTED]> > > To: "Jakarta Commons Users List" <[email protected]> > > Sent: Wednesday, January 12, 2005 8:56 PM > > Subject: Re: [commons-validator] Problems with Javascript mask > > validation..plz Help! > > > > > > > Revealing detailed validation algorithms for passwords on the client > > is a > > > security issue so validator does not allow it by default. Also, you > > > should be able to replace [a-zA-Z_0-9] with \w. > > > > > > David > > > > > > --- Matt Bathje <[EMAIL PROTECTED]> wrote: > > > > > > > Eric Giguere wrote: > > > > > Hi all > > > > > I have a problemes with the commons-validator 1.1.3 javascript > > > > > implementation for validating masks. > > > > > I tried to validate user name and password on a form. > > > > > > > > > > For testing purposes, I've set both fields with the same regexp in > > the > > > > > > > > > validation.xml file: > > > > > ^[a-zA-Z_0-9][a-zA-Z_0-9!^$&%]{5,14}$ > > > > > The username get validated ok but not the password. It is > > possible? Is > > > > > > > > > the fact that the control shows **** as data (password field) > > breaks > > > > the > > > > > validation? > > > > > > > > > > > > > > > > > The javascript side of the mask validation only works on fields with > > > > type hidden, text, textarea or file. > > > > > > > > > > > > Matt > > > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > For additional commands, e-mail: > > [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > __________________________________________________ > > > Do You Yahoo!? > > > Tired of spam? Yahoo! Mail has the best spam protection around > > > http://mail.yahoo.com > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > __________________________________ > Do you Yahoo!? > Meet the all-new My Yahoo! - Try it today! > http://my.yahoo.com > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
