* Aryeh Gregor Simetrical+wikilist@gmail.com [Thu, 27 Jan 2011 14:27:21 -0500]:
HTML5 specifies that they should, for passwords:
"User agents must not allow users to insert U+000A LINE FEED (LF) or U+000D CARRIAGE RETURN (CR) characters into the value."
http://www.whatwg.org/specs/web-apps/current-work/multipage/states-of-the-ty...
The value sanitization algorithm also makes sure this holds for default values and script-inserted values.
Oops.. My mistake - it seems that Thunderbird mail appends extra space character (32) to the end of selection in the clipboard instead (when the password is located in separated text line and one selects the complete line using mouse), not CR / LF. However, as the password field input value is hidden, users cannot realize why he / she cannot login when copying / pasting the password from TB mail. It would be more user-friendly in case trim() was used. Dmitriy