Login icon indicating copy to clipboard operation
Login copied to clipboard
verified publisher icon modxcms

Please remove sensitive private info from lgnForgotPassSentTpl

Open donShakespeare opened this issue 6 years ago • 2 comments

https://github.com/modxcms/Login/blob/master/core/components/login/elements/chunks/lgnforgotpasssenttpl.chunk.tpl

Something many users might not know is that when you allow the feature "Reset Password" you need to really really really customize this one uncommon tpl

[[!Login? &sentTpl=`lgnForgotPassSentTpl`]] Otherwise, any lurker can get any user's email address if the lurker knows a username. The lurker just has to attempt to reset password by given username.

The unusual default HTML of that tpl is something revealing like this... <p>Your login information has been sent to the email address [[+email]].</p>

donShakespeare avatar Dec 28 '18 21:12 donShakespeare

What would be the preferred semantic? If a username or email address matches, we will send an email with the password reset link.?

matdave avatar Dec 28 '18 21:12 matdave

This is what I use <p>Your login information has been sent to the email address associated with your account</p>.

donShakespeare avatar Dec 28 '18 22:12 donShakespeare