• koper@feddit.nl
    link
    fedilink
    arrow-up
    40
    ·
    edit-2
    2 months ago

    Why the password.trim()? Silently removing parts of the password can lead to dangerous bugs and tells me the developer didn’t peoperly consider how to sanitize input.

    I remember once my password for a particular organization had a space at the end. I could log in to all LDAP-connected applications, except for one that would insist my password was wrong. A trim() or similar was likely the culprit.

    • spechter@lemmy.ml
      link
      fedilink
      arrow-up
      33
      ·
      2 months ago

      Another favorite of mine is truncating the password to a certain length w/o informing the user.

      • NotationalSymmetry
        link
        fedilink
        English
        arrow-up
        16
        ·
        2 months ago

        Saving the password truncates but validation doesn’t. So it just fails every time you try to log in with no explanation. The number of times I have seen this in a production website is too damn high.

      • Flipper@feddit.org
        link
        fedilink
        arrow-up
        11
        ·
        2 months ago

        The password needs to be 8 letters long and may only contain the alphabet. Also we don’t tell you this requirement or tell you that setting the password went wrong. We just lock you out.

    • Aijan@programming.devOP
      link
      fedilink
      arrow-up
      16
      ·
      edit-2
      2 months ago

      Thanks for the tip. password.trim() can indeed be problematic. I just removed that line.

    • HamsterRage@lemmy.ca
      link
      fedilink
      arrow-up
      12
      ·
      2 months ago

      The reason for leaving in the password.trim() would be one of the few things that I would ever document with a comment.