|
Title: INVISIBLE attribute Post by: Tim B. on December 01, 2008, 11:31:58 am Just a small point - this attribute replaces WIDGET="pasword" and now displays asterisks instead of letters, but I notice that it displays the actual number of asterisks that the underlying data contains rather than a fixed number (like many other programs do). This is a bit of a security hole because it gives away the number of characters in someone's password or whatever it is that is being hidden.
Title: Re: INVISIBLE attribute Post by: Sebastien F. on December 04, 2008, 04:35:23 pm Tim,
We mimic the Informix 4gl attribute so this will certainly never change. From Informix 4gl doc: Quote INVISIBLE SebThe INVISIBLE attribute prevents user-entered data from being echoed on the screen during a CONSTRUCT, INPUT, INPUT ARRAY, or PROMPT statement. Usage Characters that the user enters in a field with this attribute are not displayed during data entry, but the cursor moves through the field as the user types. Title: Re: INVISIBLE attribute Post by: Tim B. on December 04, 2008, 04:44:18 pm The difference was though that INVISIBLE in BDS (and I suspect Informix) displayed nothing. Genero is displaying asterisks (LIKE CLASS=PASSWORD).
This issue isn't with data entry though, it is the re-displaying of INVISIBLE fields afterwards, as they tell you how many characters are in the 'INVISIBLE' field. Title: Re: INVISIBLE attribute Post by: Sebastien F. on December 04, 2008, 04:53:31 pm Good point.
I believe we need to use * asterisks in GUI mode because the runtime system truncates values returned by the front-end... Maybe we could use the cursor position... I could file a bug to track this issue, but I doubt we will fix this soon. Note that Gnome and Windows session login dialogs display asterisks or points, so I believe in GUI mode this is typical. Seb Title: Re: INVISIBLE attribute Post by: Tim B. on December 05, 2008, 10:39:26 am Asterisks are fine, but most apps would fill the field with asterisks so you couldn't tell the length (when simply displaying data).
I'm not particularly worried about it. I just noticed it while converting one of our programs and thought it needed pointing out as a security issue. |