diff options
author | Jonathan Prykop <jonathan@freeside.biz> | 2015-11-21 01:54:21 -0600 |
---|---|---|
committer | Jonathan Prykop <jonathan@freeside.biz> | 2015-12-14 20:21:41 -0600 |
commit | 32b783795ee3a39752fc72f2c861eac8cdb6d12a (patch) | |
tree | 9fca89413ee5aceca3ad6b8a547dea3da37a3f4d /httemplate/elements | |
parent | a2d1bca6d13c6760f2c7c2de677da4df3f9e5c3e (diff) |
RT#29354: Password Security in Email
Diffstat (limited to 'httemplate/elements')
-rw-r--r-- | httemplate/elements/change_password.html | 6 | ||||
-rw-r--r-- | httemplate/elements/random_pass.html | 18 | ||||
-rw-r--r-- | httemplate/elements/validate_password.html | 58 |
3 files changed, 78 insertions, 4 deletions
diff --git a/httemplate/elements/change_password.html b/httemplate/elements/change_password.html index 625ba1fb5..7d8daaeaf 100644 --- a/httemplate/elements/change_password.html +++ b/httemplate/elements/change_password.html @@ -16,6 +16,12 @@ <& /elements/random_pass.html, $pre.'password', 'randomize' &> <INPUT TYPE="submit" VALUE="change"> <INPUT TYPE="button" VALUE="cancel" onclick="<%$pre%>toggle(false)"> + <DIV ID="<%$pre%>password_result" STYLE="font-size: smaller"></DIV> + <& '/elements/validate_password.html', + 'fieldid' => $pre.'password', + 'svcnum' => $svc_acct->svcnum, + + &> % if ( $error ) { <BR><SPAN STYLE="color: #ff0000"><% $error |h %></SPAN> % } diff --git a/httemplate/elements/random_pass.html b/httemplate/elements/random_pass.html index b215b77d9..14bbb581d 100644 --- a/httemplate/elements/random_pass.html +++ b/httemplate/elements/random_pass.html @@ -1,13 +1,23 @@ <INPUT TYPE="button" VALUE="<% emt($label) %>" onclick="randomPass()"> <SCRIPT TYPE="text/javascript"> function randomPass() { + var lower='<% join('', 'a'..'z') %>'; + var upper='<% join('', 'A'..'Z') %>'; + var number='<% join('', '0'..'9') %>'; + var symbol='`~!@#$%^&*-_=+:;<>,.?'; + var pw_set=lower+upper+number+symbol; + var pass=[]; + pass.push(lower.charAt(Math.floor(Math.random() * lower.length))); + pass.push(upper.charAt(Math.floor(Math.random() * lower.length))); + pass.push(number.charAt(Math.floor(Math.random() * number.length))); + pass.push(symbol.charAt(Math.floor(Math.random() * symbol.length))); var i=0; - var pw_set='<% join('', 'a'..'z', 'A'..'Z', '0'..'9' ) %>'; - var pass=''; - while(i < 8) { + while(i < 4) { i++; - pass += pw_set.charAt(Math.floor(Math.random() * pw_set.length)); + pass.push(pw_set.charAt(Math.floor(Math.random() * pw_set.length))); } + for(var j, x, i = pass.length; i; j = Math.floor(Math.random() * i), x = pass[--i], pass[i] = pass[j], pass[j] = x); + pass = pass.join(''); document.getElementById('<% $id %>').value = pass; } </SCRIPT> diff --git a/httemplate/elements/validate_password.html b/httemplate/elements/validate_password.html new file mode 100644 index 000000000..fd2cb6ca0 --- /dev/null +++ b/httemplate/elements/validate_password.html @@ -0,0 +1,58 @@ +<%doc> + +To validate passwords via javascript/xmlhttp: + + <INPUT ID="password_field" TYPE="text"> + <DIV ID="password_field_result"> + <& '/elements/validate_password.html', + fieldid => 'password_field', + svcnum => $svcnum + &> + +The ID of the input field can be anything; the ID of the DIV in which to display results +should be the input id plus '_result'. + +</%doc> + +<& '/elements/xmlhttp.html', + 'url' => $p.'misc/xmlhttp-validate_password.html', + 'subs' => [ 'validate_password' ], + 'method' => 'POST', # important not to put passwords in url +&> +<SCRIPT> +function add_password_validation (fieldid) { + var inputfield = document.getElementById(fieldid); + inputfield.onchange = function () { + var fieldid = this.id+'_result'; + var resultfield = document.getElementById(fieldid); + if (this.value) { + resultfield.innerHTML = '<SPAN STYLE="color: blue;">Validating password...</SPAN>'; + validate_password('fieldid',fieldid,'svcnum','<% $opt{'svcnum'} %>','password',this.value, + function (result) { + result = JSON.parse(result); + var resultfield = document.getElementById(result.fieldid); + if (resultfield) { + if (result.valid) { + resultfield.innerHTML = '<SPAN STYLE="color: green;">Password valid!</SPAN>'; + } else if (result.error) { + resultfield.innerHTML = '<SPAN STYLE="color: red;">'+result.error+'</SPAN>'; + } else { + result.syserror = result.syserror || 'Server error'; + resultfield.innerHTML = '<SPAN STYLE="color: red;">'+result.syserror+'</SPAN>'; + } + } + } + ); + } else { + resultfield.innerHTML = ''; + } + }; +} +add_password_validation('<% $opt{'fieldid'} %>'); +</SCRIPT> + +<%init> +my %opt = @_; +</%init> + + |