Subscribe for automatic updates: RSS icon RSS

Login icon Sign in for full access | Help icon Help
Advanced search

Pages: [1]
  Reply  |  Print  
Author Topic: INVISIBLE attribute  (Read 11319 times)
Tim B.
Posts: 67


« on: December 01, 2008, 11:31:58 am »

Just a small point - this attribute replaces WIDGET="pasword" and now displays asterisks instead of letters, but I notice that it displays the actual number of asterisks that the underlying data contains rather than a fixed number (like many other programs do).  This is a bit of a security hole because it gives away the number of characters in someone's password or whatever it is that is being hidden.
Sebastien F.
Four Js
Posts: 545


« Reply #1 on: December 04, 2008, 04:35:23 pm »

Tim,

We mimic the Informix 4gl attribute so this will certainly never change.

From Informix 4gl doc:

Quote
INVISIBLE

The INVISIBLE attribute prevents user-entered data from being echoed on the
screen during a CONSTRUCT, INPUT, INPUT ARRAY, or PROMPT statement.

Usage

Characters that the user enters in a field with this attribute are not displayed
during data entry, but the cursor moves through the field as the user types.
Seb
Tim B.
Posts: 67


« Reply #2 on: December 04, 2008, 04:44:18 pm »

The difference was though that INVISIBLE in BDS (and I suspect Informix) displayed nothing.  Genero is displaying asterisks (LIKE CLASS=PASSWORD).

This issue isn't with data entry though, it is the re-displaying of INVISIBLE fields afterwards, as they tell you how many characters are in the 'INVISIBLE' field.
Sebastien F.
Four Js
Posts: 545


« Reply #3 on: December 04, 2008, 04:53:31 pm »

Good point.
I believe we need to use * asterisks in GUI mode because the runtime system truncates values returned by the front-end...
Maybe we could use the cursor position...
I could file a bug to track this issue, but I doubt we will fix this soon.
Note that Gnome and Windows session login dialogs display asterisks or points, so I believe in GUI mode this is typical.

Seb
Tim B.
Posts: 67


« Reply #4 on: December 05, 2008, 10:39:26 am »

Asterisks are fine, but most apps would fill the field with asterisks so you couldn't tell the length (when simply displaying data).

I'm not particularly worried about it.  I just noticed it while converting one of our programs and thought it needed pointing out as a security issue.
Pages: [1]
  Reply  |  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines