user password containing "

ustk

I have a situation where a user has a " in his password.
While wordpress is allowing it, Hise doesn't, and adds the escape char \ so the password sent during the authentication is altered...

Is there a way to prevent this in Hise or should I just prevent from using " on the password creation page?
Any recommended WP plugin for this?

dannytaurus

@ustk said in user password containing ":

prevent from using " on the password creation page

+1 for this. Quotes get mangled all over the place. Best to avoid them.

ustk

@dannytaurus strange it's not forbidden by default...

David Healey

@ustk Yes I ran into this issue too a few years ago. I think it's the JWT plugin that was the issue, can't remember now.

I added this snippet to my site to prevent users using quotations marks in their passwords.

function prevent_quotation_mark_passwords($errors, $user) {
    if (strpos($user->user_pass, '"') !== false || strpos($user->user_pass, "'") !== false) {
        $errors->add('password_error', __('The password cannot contain quotation marks.', 'your-text-domain'));
    }

    return $errors;
}

add_filter('registration_errors', 'prevent_quotation_mark_passwords', 10, 2);
add_filter('user_profile_update_errors', 'prevent_quotation_mark_passwords', 10, 2);
add_filter('woocommerce_registration_errors', 'prevent_quotation_mark_passwords', 11, 3);
add_filter('woocommerce_save_account_details_errors', 'prevent_quotation_mark_passwords', 10, 3);

function custom_password_reset_validation($errors, $user) {
    $new_password = isset($_POST['password_1']) ? wc_clean($_POST['password_1']) : '';

    // Check if the password contains quotation marks
    if (strpos($new_password, '"') !== false || strpos($new_password, "'") !== false) {
        $errors->add('password_reset_error', __('The password cannot contain quotation marks.', 'your-text-domain'));
    }

    return $errors;
}

add_action('validate_password_reset', 'custom_password_reset_validation', 10, 2);

Oli Ullmann

@ustk
Oh, good to know!