On Thu, Jan 27, 2011 at 1:58 AM, Dmitriy Sintsov questpc@rambler.ru wrote:
Surely it should. In a very similar manner, I've had a trouble with local MediaWiki installation (old 1.14, haven't checked with newer ones), when I've created user accounts and sent these via the email, people were unable to login, because when you select a text line using a mouse, Thunderbird mail sometimes copies line feed character into clipboard, so it was pasted into the password field then and the password didn't match. Users were frustrated. I've explained them that line feed is being placed into the clipboard which is visible when you paste it into the text editor. I am unsure which browser they have been used, maybe some browsers strip 13 / 10 from text inputs, maybe don't.
HTML5 specifies that they should, for passwords:
"User agents must not allow users to insert U+000A LINE FEED (LF) or U+000D CARRIAGE RETURN (CR) characters into the value." http://www.whatwg.org/specs/web-apps/current-work/multipage/states-of-the-ty...
The value sanitization algorithm also makes sure this holds for default values and script-inserted values.