#11 Password with ampersand doesn't work

[Jedrzej]

Users are unable to login with passwords containing an ampersand "&" character.

The problem is in operations.js which creates a string with user-supplied data without any escaping:

var username = document.forms['loginform'].username.value;
var password = document.forms['loginform'].password.value;
var server = document.forms['loginform'].server.value;

[...]

var paramData = "username=" + username + "&password=" + password + "&server=" + server;

The string paramData is then sent to the server with var request = YAHOO.util.Connect.asyncRequest('POST', url, callback, paramData);

An "&" charater is embedded into the paramData string without being properly encoded.

A simple fix is to change the line:

var password = document.forms['loginform'].password.value;

to:

var password = escape(document.forms['loginform'].password.value);

This results in a properly encoded password to embed into paramData string.