Skip to content
This repository was archived by the owner on Dec 14, 2018. It is now read-only.

Password value: input vs editor #7418

Closed
maxtoroq opened this issue Mar 1, 2018 · 6 comments
Closed

Password value: input vs editor #7418

maxtoroq opened this issue Mar 1, 2018 · 6 comments
Assignees
@dougbu
Labels
3 - Done bug cost: S Will take up to 2 days to complete
Milestone
2.1.0-preview2

Comments

@maxtoroq
Copy link

maxtoroq commented Mar 1, 2018

When you use the input helper for a password field, the value attribute is not rendered. When you use the editor helper, the value attribute is rendered. This is how it works in MVC 5, I haven't tried in Core but a quick look at the code tells me it should work the same (see DefaultEditorTemplates.PasswordTemplate.

Is there a reason for this difference?
@mkArtakMSFT
Copy link
Member

Hi @maxtoroq. This behavior is intentional.
The reason is that it can lead to sensitive data to be exposed in clear text on the client side, as in the rendered page that value will be in clear text (in the source of the page).

@maxtoroq
Copy link
Author

maxtoroq commented Mar 1, 2018

@mkArtakMSFT You either didn't read or didn't understand. I know the behavior is by design. My question is, why isn't the editor helper behavior consistent?

@mkArtakMSFT
Copy link
Member

I indeed misunderstood you, @maxtoroq. Reopening to understand how we should move forward here.

@mkArtakMSFT mkArtakMSFT reopened this Mar 1, 2018
@mkArtakMSFT mkArtakMSFT added bug and removed question labels Mar 1, 2018
@mkArtakMSFT
Copy link
Member

@dougbu, seems like a bug. How hard will it be to fix this?

@dougbu
Copy link
Member

dougbu commented Mar 2, 2018

If we confirm this happens in ASP.NET Core MVC as well, it's a one-line fix. Would need a few tests of course.

I also suggest we add a default display template for passwords.

@mkArtakMSFT mkArtakMSFT added this to the 2.1.0-preview2 milestone Mar 2, 2018
dougbu added a commit that referenced this issue Mar 2, 2018
@dougbu
Do not use FormattedModelValue in password editor template
159e4b0 
- #7418
- add quirk switch to reverse this if necessary
@dougbu dougbu mentioned this issue Mar 2, 2018
Closed
dougbu added a commit that referenced this issue Mar 2, 2018
@dougbu
Do not use FormattedModelValue in password editor template
bb792e9 
- #7418
- add quirk switch to reverse this if necessary
@dougbu dougbu mentioned this issue Mar 3, 2018
Closed
@dougbu dougbu added the cost: S Will take up to 2 days to complete label Mar 3, 2018
dougbu added a commit that referenced this issue Mar 5, 2018
@dougbu
Do not use FormattedModelValue in password editor template
f061d32 
- #7418
- add quirk switch to reverse this if necessary
@dougbu
Copy link
Member

dougbu commented Mar 5, 2018

f061d32

@dougbu dougbu closed this as completed Mar 5, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@dougbu dougbu

Labels
3 - Done bug cost: S Will take up to 2 days to complete
Projects
None yet
Milestone
2.1.0-preview2
Development

No branches or pull requests
3 participants
@maxtoroq @dougbu @mkArtakMSFT