Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Storing form inputs in component state in React.js, specifically passwords

got a question about forms in React.js. I don't actually have an issue, but was wondering if there were any flaws in my approach.

I have a simple form, with two inputs for both email and password, like so:

  <input
   type="email"
   name="email"
   value={this.state.email}
   onChange={this.handleChange}
   data-message-required="Please enter your email address"
   data-message-email="Please enter a VALID email address"
   />

and

<input
 type="password"
 name="password"
 value={this.state.password}
 onChange={this.handleChange}
 data-minlength="3"
 data-maxnlength="20"
 data-message="Please enter your password"
 />

handleChange() is written as so:

  handleChange = e => {
   this.setState({
    [e.target.name]:e.target.value
  })}

My question is, is that are there any vulnerabilities in this code? When using React Dev Tools, I can track the components internal state, and the password appears as plaintext. I'm unsure if this means that it is possible for other sources to acquire the password through tracking the component's state.

Sorry if this question has been answered before, I did a quick search but could not find something that was specifically on this topic. Thanks for your time.

like image 267
ifiore Avatar asked Feb 06 '19 16:02

ifiore


People also ask

How do I show password in input field in React?

To show or hide the password in the input field in Reactjs, the basic idea is to change the input tag's type attribute to text from password and vice versa on clicking the "Show password" button or an appropriate button of your own.

How do you store form data in state React?

Create React ComponentCreate src > components folder and create a component file for storing form data in local storage. Name this file form-data-component. js and paste the following code in it. We created a basic user form using Bootstrap 4.


2 Answers

No, no vulnerability here: the user will be able to see the password while it is inside her browser, after she inputs it...

A password should not be a secret for it's owner... :-)

Of course you will use https protocol if you send the password to a server, otherwise it will be visible on the cable, an that is a security issue!

like image 167
MarcoS Avatar answered Sep 21 '22 05:09

MarcoS


I agree with @MarcoS there is no security issue.

I would add if a thief knows how to read the state in dev tools he can also do this:

document.querySelector("[type=password]").value
like image 45
spedy Avatar answered Sep 21 '22 05:09

spedy