Christian Heilmann

Don’t rely on maxlength to shorten passwords

Monday, February 6th, 2006 at 6:47 pm

It is bad practice to rely on the maxlength attribute of form fields to ensure the real length of entered data. That much I knew, as playing with curl made me aware how vulnerable forms are on the wild wild web.

However, I was a bit agog when I realised that it is possible to change the value of a field to a word longer than maxlength on MSIE and Opera.

I set up a demo that shows how to override maxlength with JavaScript .

So, don’t trust maxlength, make sure to also check the real length on the server side.

[tags]security, HTML, maxlength, webdevtrick[/tags]

Share on Mastodon (needs instance)

Share on BlueSky

Newsletter

Check out the Dev Digest Newsletter I write every week for WeAreDevelopers. Latest issues:

Don't stop thinking, AI Slop vs. OSS Security, rolling your own S3 Despite AI you still need to think, Bitter lessons from building AI products,  AI Slop vs. OSS security and pointer pointer…
200: Building for the web, what's left after rm -rf & 🌊🐴 vs AI What remains after you do a rm -rf? Why do LLMs know about a seahorse emoji? What image formats should you use? How private is your car?
Word is Doomed, Flawed LLM benchmarks, hard sorting and CSS mistakes Spot LLM benchmark flaws, learn why sorting is hard, how to run Doom in Word and how to say "no" like a manager.
30 years of JS, Browser AI, how attackers use GenAI, whistling code Learn how to use AI in your browser and not on the cloud, why AI makes different mistakes than humans and go and whistle up some code!
197: Dunning-Kruger steroids, state of cloud security, puppies>beer

My other work: