[Zope] IE5 form entry horror.

Alexander Staubo alex@mop.no
Wed, 12 May 1999 17:44:55 +0200 

Why is this a problem?

It's a client security problem, not something that hits the server in
any particular way. If the desktop user configured his computer so that
anyone can reclaim his password from the autocomplete list, that's his
problem. You could "fix" Zope, but it wouldn't fix the thousands of
other web sites which also do credit card.

Afaik, autocompletion on forms is disabled by default.

Alexander Staubo
http://www.mop.no/~alex/
mailto:redhand@mop.no

>-----Original Message-----
>From: anthony@nextTelecom.com [mailto:anthony@nextTelecom.com]On Behalf
>Of Anthony Baxter
>Sent: 12. mai 1999 16:38
>To: zope@zope.org
>Subject: [Zope] IE5 form entry horror.
>
>
>one of the customer service people here just pointed out something of
>a horror problem (a week before go-live, yay).
>
>IE5 appears to have a client-side cache of form entry values - so if
>someone returns to a page, they get a drop-box of previously entered
>values for this form field - this occurs even on a form
>accessed by https.
>To say that I'm somewhat unimpressed by this utter misfeature
>is something
>of an understatement. Imagine a kiosk setup, with a registration screen
>prompting for (amongst other things) a credit card number. Gee, let's
>use one someone entered earlier - pull down a little scrolly box.
>
>aiieieieie. One thought that comes to mind is to make the form field
>name be a name with a random bit on the end. (Another thought that came
>to mind was to do a drive-by on the local MS office.) Anyway,
>the reason
>for the zope-post is that I'm thinking of hacking the field
>name converting
>so that you can do fieldname:type:end:anything and just finish looking
>for the type name after it hits the 'end' tag.
>
>This is a 3 line patch to ZPublisher/HTTPRequest.py - would it offend
>anyone if it was added?
>
>Anthony
>
>_______________________________________________
>Zope maillist  -  Zope@zope.org
>http://www.zope.org/mailman/listinfo/zope
>
>(For developer-specific issues, use the companion list,
>zope-dev@zope.org - http://www.zope.org/mailman/listinfo/zope-dev )
>