Closed (fixed)
Project:
Webform
Version:
8.x-5.x-dev
Component:
Code
Priority:
Normal
Category:
Task
Assigned:
Reporter:
Created:
26 Feb 2018 at 14:54 UTC
Updated:
20 Jul 2021 at 18:07 UTC
Jump to comment: Most recent, Most recent file
The password field in Webform for Drupal 8 presents opportunities for misuse. While it provides an HTML password input type, Webform appears to save the data as plaintext in the database. Many Drupal site builders and content editors who can create Webforms may have the illusion that it is secure. See this discussion: https://stackoverflow.com/questions/48918876/drupal-webform-saving-passw....
Quicksketch had numerous comments about why he did not add password fields in the Webform D7 issue queue:
https://www.drupal.org/project/issues/webform?text=password+field&status...
Reasons for removal:
| Comment | File | Size | Author |
|---|---|---|---|
| #13 | 2947991-8.patch | 569 bytes | jrockowitz |
| #8 | 2947991-8.patch | 6.28 KB | jrockowitz |
| #6 | 2947991-6.patch | 4.96 KB | jrockowitz |
Comments
Comment #2
shrop commentedComment #3
shrop commentedComment #4
jrockowitz commentedYes, people might assume that the password element is secure by default. I think we need to provide a warning to site builders that passwords are stored as plain text.
I don't think we should remove the password element because there are sites that do not store any data in Drupal and push their data to a remote CRM. There are also some sites that are using a webform to create a Drupal user account and might need to collect a password.
How about we add a warning message to the password element that warns users that submitted passwords are stored as plain text and recommend that they install the Webform Encrypt module.
I would also be open to defaulting all new installations of the Webform module to have the password element disabled by default with a warning displayed when it is enabled. (@see /admin/structure/webform/config/elements)
Comment #5
jrockowitz commentedComment #6
jrockowitz commentedThe below notes can be used for the change record.
Summary
Notes
Comment #8
jrockowitz commentedComment #10
jrockowitz commentedI committed the patch. Please download the latest dev release to review.
Comment #11
shrop commentedI will take a look! Thanks for working to improve this for clarity to site builders.
I like the solution :)
Comment #12
adriancid@jrockowitz I have a doubt here:
Here I can't see the use of
$excluded_elementsis an error or I'm missing something here?Comment #13
jrockowitz commented@adriancid You are absolutely right. Thanks for catching that.
Comment #14
adriancidI think that you need to add another webform update function because some users maybe have the webform_update_8110() update on their sites, so to apply the changes another update is needed.
Comment #16
jrockowitz commentedDone!
@see https://cgit.drupalcode.org/webform/commit/?id=b2a99e7
Comment #18
damondt commentedThere are use cases acceptable both in terms of security and morality (not storing in db and sending encrypted to endpoint via handler for instance). It's not terribly time consuming to sidestep if you're familiar with the module and discovered this issue, but I'm unsure if I agree with the decision. Technical ability doesn't imply morality, so the decision is whether to make work for technical users in order to prevent unintentional misuse.