[wp-trac] [WordPress Trac] #34281: Allow admins to send users a 'Reset Password' link

WordPress Trac noreply at wordpress.org
Mon Nov 9 19:02:34 UTC 2015 

#34281: Allow admins to send users a 'Reset Password' link
-------------------------------------------------+-------------------------
 Reporter:  Ipstenu                              |       Owner:
     Type:  defect (bug)                         |  adamsilverstein
 Priority:  normal                               |      Status:  assigned
Component:  Users                                |   Milestone:  4.4
 Severity:  normal                               |     Version:  trunk
 Keywords:  has-patch needs-testing has-         |  Resolution:
  screenshots needs-refresh                      |     Focuses:  javascript
-------------------------------------------------+-------------------------

Comment (by eventualo):

 Replying to [comment:23 adamsilverstein]:

 Thanks a lot @adamsilverstein for your feedback.

 > How would the response contain HTML? It should only be text unless I am
 missing something?
 >
 > I'm concerned that using .html() opens a security hole because the
 response would be evaluated. If an attacker could alter the response, they
 could inject JavaScript into the admin page. I'd prefer to stick to text()
 which is safer.

 During my tests, I got also some error messages during sending emails. An
 error message is in html:
 ''The email could not be sent.<br />Possible reason: your host may have
 disabled the mail() function.''
 for this reason I propose the .html(), but I undestand the security issue,
 and I agree.


 > Also I'm not sure fadein is appropriate, do we use that anywhere else in
 core?
 >
 > In the previous version of the patch, we disable the button upon
 response, preventing duplicate clicks. That part is missing in your latest
 patch. I think this better matches what we are doing with the 'Log me out
 everywhere else' button right below this button. It might make more sense
 to fire right after clicking the button instead of on response.
 >


 I didn't disable the button upon response. With my patch, the button is
 properly disabled only on successfully sending, as in previous patch. But,
 if there is an error, the button is not disabled: this behaviour happened
 also in previous version, so I proposed the fadeIn. In my opinion it could
 be a quick way to solve the issue of a always active button.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/34281#comment:24>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list