Christian Heilmann

Don’t rely on maxlength to shorten passwords

Monday, February 6th, 2006 at 6:47 pm

It is bad practice to rely on the maxlength attribute of form fields to ensure the real length of entered data. That much I knew, as playing with curl made me aware how vulnerable forms are on the wild wild web.

However, I was a bit agog when I realised that it is possible to change the value of a field to a word longer than maxlength on MSIE and Opera.

I set up a demo that shows how to override maxlength with JavaScript .

So, don’t trust maxlength, make sure to also check the real length on the server side.

[tags]security, HTML, maxlength, webdevtrick[/tags]

Share on Mastodon (needs instance)

Share on BlueSky

Newsletter

Check out the Dev Digest Newsletter I write every week for WeAreDevelopers. Latest issues:

Word is Doomed, Flawed LLM benchmarks, hard sorting and CSS mistakes Spot LLM benchmark flaws, learn why sorting is hard, how to run Doom in Word and how to say "no" like a manager.
30 years of JS, Browser AI, how attackers use GenAI, whistling code Learn how to use AI in your browser and not on the cloud, why AI makes different mistakes than humans and go and whistle up some code!
197: Dunning-Kruger steroids, state of cloud security, puppies>beer
196: AI killed devops, what now? LLM Political bias & AI security Learn how AI killed DevOps, create long tasks in JS, why 1 in 5 security breaches are AI generated code & play "The Scope Creep"
195: End of likes, JS Zoo and Tim Berners-Lee doesn't see AI vs Web Meta kills like buttons, Tim-Berners-Lee thinks AI won't kill the web, GitHub is ending toasts and the worst selling Microsoft product.

My other work: