Don’t rely on maxlength to shorten passwords
Monday, February 6th, 2006 at 6:47 pmIt is bad practice to rely on the maxlength attribute of form fields to ensure the real length of entered data. That much I knew, as playing with curl made me aware how vulnerable forms are on the wild wild web.
However, I was a bit agog when I realised that it is possible to change the value of a field to a word longer than maxlength on MSIE and Opera.
I set up a demo that shows how to override maxlength with JavaScript .
So, don’t trust maxlength, make sure to also check the real length on the server side.