• Vincent Pelletier's avatar
    Base_callDialogMethod: Do not redirect when form has a password field. · fc297215
    Vincent Pelletier authored
    If it is the case *and* the action script does not redirect, the password will be
    in user's browser history.
    There can be two different reasons to not redirect:
    - not following the API (ie, intentionally not redirecting)
    - letting an exception reach ZPublisher
    Also, if the non-redirection causes an HTML page to be rendered, resources
    loaded by that page will have a referrer containing the password, leaking it
    to potentially foreign servers.
    fc297215
Base_callDialogMethod.py 10.5 KB