https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911 Bug ID: 19911 Summary: Passwords displayed to user during self-registration are not HTML-encoded Change sponsored?: --- Product: Koha Version: 17.11 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: OPAC Assignee: oleonard@myacpl.org Reporter: library@sll.texas.gov QA Contact: testopia@bugs.koha-community.org Created attachment 70252 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=70252&action=edit Example of the generated password not displaying properly due to the less-than character treated as opening HTML tag If self-registration is enabled and the PatronSelfRegistrationPrefillForm system preference is set to "Display and prefill," self-registered users are shown their password upon successfully registering. If the password contains a less-than character, browsers treat this as the beginning of an HTML element, and so the less-than character and anything after it does not display since the password is not HTML-encoded. If Koha is set to generate passwords automatically during self-registration (i.e., users are not allowed or required to enter a password in the self-registration form), any generated password containing the less-than character will not display correctly. Users who are expected to copy/save their password at this time cannot do so, and there is no way to recover that generated password. Attached is a screenshot showing what I mean. A solution would to HTML-encode the passwords when they are displayed as part of the self-registration process, regardless of whether the user must verify their e-mail address first (opac-registration-verify.pl). -- You are receiving this mail because: You are watching all bug changes.