* Aryeh Gregor <Simetrical+wikilist(a)gmail.com> [Thu, 27 Jan 2011
14:27:21 -0500]:
HTML5 specifies that they should, for passwords:
"User agents must not allow users to insert U+000A LINE FEED (LF) or
U+000D CARRIAGE RETURN (CR) characters into the value."
http://www.whatwg.org/specs/web-apps/current-work/multipage/states-of-the-t…
The value sanitization algorithm also makes sure this holds for
default values and script-inserted values.
Oops.. My mistake - it seems that Thunderbird mail appends extra space
character (32) to the end of selection in the clipboard instead (when
the password is located in separated text line and one selects the
complete line using mouse), not CR / LF. However, as the password field
input value is hidden, users cannot realize why he / she cannot login
when copying / pasting the password from TB mail. It would be more
user-friendly in case trim() was used.
Dmitriy