12577 - Invalid HTML / Don't use GET

Status: VERIFIED FIXED

(Bugzilla :: Bugzilla-General, defect, P3)

Description

[philemon]

It's my first bug report here, so please bear with me. I have searched for a
similar bug, but found none.

On http://bugzilla.mozilla.org/changepassword.cgi, if one fills in the data and
presses "Login", the URL contains the password.

Well, IMHO, it's generally a bad idea to use METHOD="get" when sending password
due to additional security loss (ok, which security ;-). If this is intention
for bookmarking the URL, well you may want to reconsider it nevertheless.

----

Second (sorry, if this should be in a second bug): The resulting page contains
no end tag for the FORM element. Therefore this page does not work with either
M10 or Amiga Voyager V3pre2: Everything is displayed fine, but nothing happens,
when "Submit" is pressed.

end of BODY and HTML are also missing, but the FORM is what causes it to stop
working. Additionally, no DTD is specified at top.

I did not search for further mistakes. You may want to apply a HTML checker on
all pages. ;-)

Comment 1

[Terry Weissman]

Yes, two bug reports would have been better, but no big deal.

Fixed.  (Well, there are still some cases where the password can appear up in
the URL, because of bookmarking stuff and the like, but this particular obvious
case has been fixed.)

And I added a "</FORM>".

Comment 2

[Dave Miller [:justdave]]

per Terry, auto-verifying any resolved bug that hasn't been touched since before 
2.10 was released.

Comment 3

[Dave Miller [:justdave]]

Moving to Bugzilla product