4

Resolved

Passwords which looks like html are not accepted

description

Passwords which looks like HTML ex. <AS23/ are not accepted

The error is

A potentially dangerous Request.Form value was detected from the client (password="<AS23/").

This is on login form and on changing password screen and register.

Suggestion. Add ValidateInput(false) on LogOn Register and ChangePassword actions in AccountController in Orchard.Users or ... create FormModels where property Password is decorated with [AllowHtml]


PS. We have Orchard integrated with ActiveDirectory and I have such password with chars like < / > and cannot login :) because sending form doesn't allow me

comments

JasperD wrote Nov 14, 2013 at 5:50 PM

I think that was fixed in 103e71d, except for ActionResult ChangePassword(string currentPassword, string newPassword, string confirmPassword)

rodpl wrote Nov 21, 2013 at 8:57 AM

Exactly ... ChangePassword is still bugged

Jetski5822 wrote Jun 23 at 9:35 PM

Fixed in changeset 1936743ca0d7638fd4691f015f985e805ecd2b71