[MGNLUI-3459] Keep username on login error Created: 12/Jun/15 Updated: 13/Mar/17 Resolved: 13/Mar/17 |
|
| Status: | Closed |
| Project: | Magnolia UI |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Neutral |
| Reporter: | Magnolia International | Assignee: | Unassigned |
| Resolution: | Won't Do | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | 0d | ||
| Time Spent: | 5h 35m | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||
| Template: |
|
||||||||||||||||||||
| Acceptance criteria: |
Empty
|
||||||||||||||||||||
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
||||||||||||||||||||
| Date of First Response: | |||||||||||||||||||||
| Description |
|
When a login error occurs, it's much more likely the password is wrong; we should (probably?) keep the username field filled in, and set the focus on the password field. (we currently have both fields empty, and focus set on username field in any case) |
| Comments |
| Comment by Federico Grilli [ 02/Jul/15 ] |
|
I don't think we should use ?html because, if I'm not mistaken, chars like < > & are legit for a username and escaping them and then submitting would result in a login error |
| Comment by Jan Haderka [ 02/Jul/15 ] |
|
but should such characters be allowed in the user name? does it make any sense? |
| Comment by Federico Grilli [ 02/Jul/15 ] |
|
Probably not but that's how it is now. I think, at least for the issue at hand, we should not do any escaping. |
| Comment by Jan Haderka [ 02/Jul/15 ] |
|
no escaping is security vulnerability. anything that comes with the request has to be treated as potentially unsafe thus ignored or escaped. I would much rather ignore (i.e. not enable this feature for anyone w/ special char in name) then have something that can do injection ... specially on a page where you enter your password. |
| Comment by Magnolia International [ 03/Jul/15 ] |
|
Before anything happens, we need an answer to the question in the description of this ticket. |