New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ResetPassword code should be HtmlDecoded #8325
Comments
Note that the code is encoded here in ForgotPassword ... |
I know you say it's intermittent, but do you happen to have an example of such a code? |
Yes, I should have mentioned, keep trying it until your code has a '+' in it, that was happening to me consistently for a while. |
Ah, that would explain it :) + decodes different in forms than in URIs. @HaoK we have a hint :) |
Didn't notice this one since it wasn't assigned to me, will fix it in preview 8 |
Fix now url encodes the code before we html encode it so it should be always safe, we also url decode the code before we try to verify them with the user manager as well |
Thanks! :) |
An "invalid token" message is displayed periodically on the ResetPassword page after using the ForgotPassword page to send the user an email, and clicking on that link.
https://github.com/aspnet/AspNetCore/blob/bfec2c14be1e65f7dd361a43950d4c848ad0cd35/src/Identity/UI/src/Areas/Identity/Pages/V3/Account/ResetPassword.cshtml.cs#L120
I believe the fix should be to decode the code like this ...
I would do a PR for this but I have never contributed before and I thought someone could squeeze this in.
Thanks
--Andy
The text was updated successfully, but these errors were encountered: