• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item4802: Reset password oops might be broken

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Engine   Urgent Closed   minor 4.2.0

Edit Form Data

Reported By:
Applies To:
Current State:
Waiting For:
Target Release:
Released In:


I'm not sure, on my TWiki 4.2.0 I get escaped html (This is a c&p from the browser view, not form view source) :

<span class='twikiAlert'>  A new *system-generated* password for your login name SvenDowideit (<nop>WikiName SvenDowideit) has been sent to your registered e-mail address. If your e-mail address is no longer valid, please contact <a href='mailto:?subject=Reset%20password%20request%20for%20%3cnop%3eSvenDowideit/%3cnop%3eSvenDowideit'></a><br /> </span>

Users with automatically generated passwords should proceed immediately to change password to change their password to something memorable. 

-- TWiki:Main/SvenDowideit - 12 Oct 2007

I recall having seen that too. So "Confirmed".

-- TWiki:Main.HaraldJoerg - 12 Oct 2007

From TWiki:Codev.FreetownReleaseMeeting2007x11x05 - here's how to reproduce:

  1. Set up a TWiki with AllowLoginName = 1
  2. Allow TWiki to manage passwords with PasswordManager = TWiki::Users::HtPasswdUser
  3. Register a user (or yourself)
  4. Reset the password for that user

-- TWiki:Main.HaraldJoerg - 05 Nov 2007

This is the result of using entity encoding to block HTML payloads. The password reset message was generated as a parameter value to the 'reset_ok' oops message.


The change to encode parameters to the oops script (to block HTML payloads in parameters) broke the reset password functionality, which relies on passing the error message on to oops. All the error messages were formatted as HTML, which was being encoded. So I created a new type of alert (nohtml) and converted all the messages to remove the HTML from them. To avoid forcing a retranslation step, I manually edited the .po files to perform the same translation. The change was trivial (removal of a single <nop>) and should be low risk.


Summary Reset password oops might be broken
ReportedBy TWiki:Main.SvenDowideit
Codebase 4.2.0
SVN Range TWiki-4.3.0, Sat, 06 Oct 2007, build 15172
AppliesTo Engine

Priority Urgent
CurrentState Closed

Checkins TWikirev:15541 TWikirev:15542
TargetRelease minor
ReleasedIn 4.2.0
Edit | Attach | Watch | Print version | History: r6 < r5 < r4 < r3 < r2 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r6 - 2007-11-09 - CrawfordCurrie
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback