Folks, I believe the password value should never ever be modified, that includes space stripping. Albert wrote:
Passwords should not contain leading/trailing spaces
Strong claim. I think it's clumsy if they do, but still a password is a password :-) Albert wrote:
it is usually because of a paste error
I agree here, I rarely see people willing to have trailing spaces in their passwords. UI/UX-wise people should be allowed to peek at their password as they are entering it (to validate its correctness). Also, it's the very reason why password change form has you to repeat the new password (and sometimes even blocks any copy-pasting which is actually bad UI/UX because it cripples password managers). Akihiro wrote:
Django AuthenticationForm does not strip an input password
Which is how it should be. Akihiro wrote:
Other usages of CharField may assume the default behavior.
Indeed, one should modify horizon, not django, here. Sorin wrote:
This kind of feature must always be implemented in the client (browser)
Well, it can (and is in this case) also be implemented on the server side (by horizon/django here). Sorin wrote:
no server side API should ever try to “sanitize” a password string.
Sanitization is always performed to avoid SQL injection and alike. -yoctozepto