• koper@feddit.nl
    link
    fedilink
    arrow-up
    0
    ·
    28 days ago

    Why the password.trim()? Silently removing parts of the password tells me the developer can lead to dangerous bugs and tells me the developer didn’t peoperly consider how to sanitize input.

    I remember once my password for a particular organization had a space at the end. I could log in to all LDAP-connected applications, except for one that would insist my password was wrong. A trim() or similar was likely the culprit.

    • spechter@lemmy.ml
      link
      fedilink
      arrow-up
      0
      ·
      28 days ago

      Another favorite of mine is truncating the password to a certain length w/o informing the user.

      • Flipper@feddit.org
        link
        fedilink
        arrow-up
        0
        ·
        28 days ago

        The password needs to be 8 letters long and may only contain the alphabet. Also we don’t tell you this requirement or tell you that setting the password went wrong. We just lock you out.

      • NotationalSymmetry@ani.social
        link
        fedilink
        English
        arrow-up
        0
        ·
        28 days ago

        Saving the password truncates but validation doesn’t. So it just fails every time you try to log in with no explanation. The number of times I have seen this in a production website is too damn high.

    • HamsterRage@lemmy.ca
      link
      fedilink
      arrow-up
      0
      ·
      28 days ago

      The reason for leaving in the password.trim() would be one of the few things that I would ever document with a comment.