Have you actually looked at it? I believe it just returns asterisks. On Monday, August 25, 2014 3:02:49 PM UTC-7, Mark Li wrote: > > I am currently looking into whether or not password fields should be > cleared on registration error after the form fails server-side validation. > At the moment, web2py shows the password after a registration error, > instead of leaving it blank. While this may make editing the password > easier (in case there are pw errors), it seems to pose a security risk > because you are sending the password back to the client in plain text. To > my understanding, this would allow the page to be cached with the > password's value in plain text. > > I tested this on a variety of browsers and systems, so to the best of my > knowledge this is behavior is not unique to a browser. > > Does this pose a reasonable security risk? > > Some reference links: > > http://ux.stackexchange.com/questions/39999/why-do-most-create-account-forms-clear-the-password-fields-upon-wrong-validation > > http://ux.stackexchange.com/questions/20418/when-form-submission-fails-password-field-gets-blanked-why-is-that-the-case >
-- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
