I am currently looking into whether or not password fields should be cleared on registration error after the form fails server-side validation. At the moment, web2py shows the password after a registration error, instead of leaving it blank. While this may make editing the password easier (in case there are pw errors), it seems to pose a security risk because you are sending the password back to the client in plain text. To my understanding, this would allow the page to be cached with the password's value in plain text.
I tested this on a variety of browsers and systems, so to the best of my knowledge this is behavior is not unique to a browser. Does this pose a reasonable security risk? Some reference links: http://ux.stackexchange.com/questions/39999/why-do-most-create-account-forms-clear-the-password-fields-upon-wrong-validation http://ux.stackexchange.com/questions/20418/when-form-submission-fails-password-field-gets-blanked-why-is-that-the-case -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
