Backport: Base_callDialogMethod: Do not redirect when form has a password field.
If it is the case *and* the action script does not redirect, the password will be in user's browser history. There can be two different reasons to not redirect: - not following the API (ie, intentionally not redirecting) - letting an exception reach ZPublisher Also, if the non-redirection causes an HTML page to be rendered, resources loaded by that page will have a referrer containing the password, leaking it to potentially foreign servers.
Showing
Please register or sign in to comment