stackoom
  简体   繁体   中英

Storing form inputs in component state in React.js, specifically passwords

 原文  2019-02-06 16:46:53       javascript/ html/ reactjs

Question

got a question about forms in React.js. I don't actually have an issue, but was wondering if there were any flaws in my approach.

I have a simple form, with two inputs for both email and password, like so:

  <input
   type="email"
   name="email"
   value={this.state.email}
   onChange={this.handleChange}
   data-message-required="Please enter your email address"
   data-message-email="Please enter a VALID email address"
   />

and

<input
 type="password"
 name="password"
 value={this.state.password}
 onChange={this.handleChange}
 data-minlength="3"
 data-maxnlength="20"
 data-message="Please enter your password"
 />

handleChange() is written as so: 

  handleChange = e => {
   this.setState({
    [e.target.name]:e.target.value
  })}

My question is, is that are there any vulnerabilities in this code? When using React Dev Tools, I can track the components internal state, and the password appears as plaintext. I'm unsure if this means that it is possible for other sources to acquire the password through tracking the component's state.

Sorry if this question has been answered before, I did a quick search but could not find something that was specifically on this topic. Thanks for your time.

4 answers

solution1
 11 ACCPTED  2019-02-06 16:54:42

No, no vulnerability here: the user will be able to see the password while it is inside her browser, after she inputs it...

A password should not be a secret for it's owner... :-)

Of course you will use https protocol if you send the password to a server, otherwise it will be visible on the cable , an that is a security issue!

solution2
 2  2020-09-24 20:02:12

I agree with @MarcoS there is no security issue.

I would add if a thief knows how to read the state in dev tools he can also do this:

document.querySelector("[type=password]").value

solution3
 1  2019-02-06 17:13:11

Well to respond your questions on two layers:

First: You'll need authorization to take place in a secured setting, and the browser isn't that place. If you're guarding a form submittal, for example, it's up to you to have the server-side code that processes the submittal to validate that the captcha response is as expected. The fact that client-side state can be manipulated shouldn't really matter as long as you're not using that as your sole source of validation/authorization like passwords .

Second: I recommend that you use password-hash a node.js library to use hashed passwords . I didnt tested myself but that shouldn't be an issue. Of course https protocols is how the client and server need to communicate.

solution4
 1  2020-07-10 04:49:25

Of course the password must be protected and disable to be revealed, it could be avoided using refs and without onChange event

<input type="password" ref="password"/>

And when the form is submitted you can get the password as follow

const password = this.refs.password.value;

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to pass state/data from one component to another in React.js (riot api specifically) React.js State is not defined in class component React.js component has null state? Assigning the state of a component to variables in React.js React.js: Managing State and Component Rerender Getting data to state component in React.js Typescript with React.JS - Handling Form Events for Multiple Inputs React.js: How to submit form if inputs are validated? Can't get autocompleted inputs in React.js form with onChange Loading component not rendering in React.js form component?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM