Bug: System.Web.UI.HtmlControls.HtmlInputControl - Type = Password

[Marco Scheel]

Hello NG,

i think i found a bug. I've programmed an application that uses a HTML Input
textbox. The HTML type is "Password". The content is marked with "*". Thats
fine. I change the runat tag to server. Now i try to fill the control value
an nothing happens. try example at bottom.

i tried some workaround but even with the asp:textbox it doesen't work. i
need this peace of code for a loginscreen where i want to fill the password
from a local cookie, so the user is still able to change the login for a
different user.

Any comment?

Bye Marco

<%@ Page Language="C#" AutoEventWireup="True" %>

<html>
<head>

<script language="C#" runat="server">

void Page_Load(object sender, EventArgs e)
{

if (Page.IsPostBack)
{
Span1.InnerHtml="Hidden value: <b>" + HiddenValue.Value +
"</b>";
}
}

void SubmitBtn_Click(object sender, EventArgs e)
{
HiddenValue.Value=StringContents.Value;
}

</script>

</head>

<body>

<form runat=server>

<h3>HtmlInputHidden Sample</h3>

<input id="HiddenValue"
type=password
value="Initial Value"
runat=server>

Enter a string:

<input id="StringContents"
type=text
size=40
runat=server>

<p>

<input type=submit
value="Enter"
OnServerClick="SubmitBtn_Click"
runat=server>

<p>

<span id=Span1 runat=server>
This label will display the previously entered string.
</span>

</form>

</body>
</html>

 

[Anatoly]

Try this one:
txtPassword.attributes.add("value", [password])

But it mean that you show your password to any one(because value is shown in
html view source)
HTH

 

[Marco Scheel]

Try this one:
txtPassword.attributes.add("value", [password])

This doesen't work. I've tried it. Only workaround is to get rid of the
runat server and use something like that:

But it mean that you show your password to any one(because value is
shown in html view source)
HTH

I know that. But if the user is willing to store the password in a cookie
(it is his choice, we don't force him) then it its ok to write the password
in the html because we use https for transport. Even if i retriev the value
from the cookie, i have to fill someting in the form field so the user
thinks the password is allready typed in. i could use asteriks... but if
hier tries to log in as another user (then stored in the cookie) the text
would be shown in cleartext... that is bad.

But thanx for you comment.

Bye Marco

 

[Jacob Yang [MSFT]]

Hi Marco,

If the runat property of the html password field was set to "server",
ASP.NET will ignore its value for the consideration of security.

If you want to set the value of a password filed that runs at server from
code-behind, we should emit a block of client-side script via the
RegisterStartupScript method. For example,

private void Page_Load(object sender, System.EventArgs e)
{
// Put user code to initialize the page here
String pwd = "my password";
String scriptString = "<script language=JavaScript>\n";
scriptString += "function Page_Load()\n";
scriptString += "{\n";
scriptString += "document.getElementById('password1').value='" + pwd +
"';\n";
scriptString += "}\n";
scriptString += "</script>\n";

if(!this.IsStartupScriptRegistered("Startup"))
this.RegisterStartupScript("Startup", scriptString);

}

Then, to call the client-script above, add the onload property to the
<body> tag in HTML source.

<body MS_POSITIONING="GridLayout" onload="return Page_Load();">

Please let me know if it makes sense.

Best regards,

Jacob Yang
Microsoft Online Partner Support
Get Secure! ¨C www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.