password problem with non-alphanumerics

js1 has asked for the wisdom of the Perl Monks concerning the following question:

Hi,

I have some perl code to change a user's password. This forwards the password into an html template file with the following html:

<input type="hidden" name="old" value="%PASSWORD%">
<input type="hidden" name="new" value="%PASSWORD%">
<input type="hidden" name="new2" value="%PASSWORD%">
[download]

If the new password contains a double quote then not all the password is actually read in e.g If my password was Tra"la then the html would be:

<input type="hidden" name="new" value="Tra"la">
[download]

which passed the value Tra.

I tried taking out the quote around the value, but then I had a problem if someone put a > character in their password.

Can any monks help me out please?
Thanks,
js1.

Comment on password problem with non-alphanumerics Select or Download Code

Replies are listed 'Best First'.
Re: password problem with non-alphanumerics by tinita (Parson) on May 07, 2004 at 10:38 UTC
`use HTML::Entities; encode_entities($password); # fill in $password into the template` [download] HTML::Entities	[reply] [d/l]
Re: password problem with non-alphanumerics by Corion (Patriarch) on May 07, 2004 at 10:42 UTC
I am well aware that rolling your own templating system is one of the rites of passage for almost every Perl programmer, but take a look at the already existing templating systems. Two of them (HTML::Template) and Petal) automatically encode attributes correctly, for the "other big two" (Template Toolkit and HTML::Mason) I'm quite sure that it is the same, but I haven't used them. Other than that, the HTML::Entities module is what you need, like tinita already showed.	[reply]
Re: Re: password problem with non-alphanumerics by js1 (Monk) on May 07, 2004 at 12:35 UTC
Thanks, The HTML::Entities did the trick.	[reply]
Re: password problem with non-alphanumerics by exussum0 (Vicar) on May 07, 2004 at 13:16 UTC
`<input type="hidden" name="old" value="%PASSWORD%"> <input type="hidden" name="new" value="%PASSWORD%"> <input type="hidden" name="new2" value="%PASSWORD%">` [download] This is a little evil, especially if the page gets cached, or is history-browsable. View source, and there's your password. Maybe it's not a big concern, but it's something to chew on. User Editor Page and clear text passwords has a discussion when it happened on perlmonks. Humma la beeba la seeba la booba la Humma la beeba la seeba la bop	[reply] [d/l]
Re: Re: password problem with non-alphanumerics by hmerrill (Friar) on May 07, 2004 at 13:50 UTC
I agree with "sporty" - although this wasn't the subject of your question, if you haven't already thought about this, you should think about encrypting your password before placing it in a form to be posted in a hidden field. If you are storing the user id's and passwords in a table (or file) one method would be to take the password the user entered and encrypt it, then store the encrypted password in the user table - then when the user wants to sign back in, take the password he/she enters and encrypt it, and compare that encrypted password to the encrypted password stored for that user id - if it matches, grant access.	[reply]
Re: Re: Re: password problem with non-alphanumerics by exussum0 (Vicar) on May 07, 2004 at 13:54 UTC
Amen. and if it can be taken a step further, never displayed the encrypted form either. 'cause some systems can suffer from playback vulnerabilities. Like encrypted cookies. Don't need to know the contents.. just need to have the key. Humma la beeba la seeba la booba la Humma la beeba la seeba la bop	[reply]