Add htmlInstaller support for password input fields #25

Open
jennings opened this Issue Sep 16, 2012 · 1 comment

Projects

None yet

2 participants

Contributor

I have a desire to add <input type="password"> support to htmlInstaller, and I think this feature is applicable to be merged back into the main project.

It's a really easy change on the face of it (see jennings@4708b53), but if you have logging turned on, the password gets logged. This may not be what the user expects or desires. Should we also mask the value on the "Setting user-defined edit value" line for password fields (easy) or somehow mask the password if it gets passed as an argument to a component (much harder, I think)?

We use DNI for internal tools so we always have logging turned on for debugging purposes, but most people probably keep logging disabled by default, so maybe logging passwords isn't such a bad thing.

Owner
dblock commented Sep 16, 2012

I think logging passwords is a bad thing and I would go with an implementation that works much like MSI: you should be able to declare properties as 'secure' and therefore never logged. I see a few different ways to do it, but ultimately you want to know what's secure and what's not secure inside InstallerSession::Instance->AdditionalControlArgs.

A somewhat hacky way to do this may be do do a convention, where secure variables have to start with S: and strip anything that's S:* in LOG.

@dblock dblock referenced this issue Apr 4, 2014
Closed

password box #70

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment