Project

General

Profile

Actions
Copy link

BUG #4238

open

dev #4299: [SQA] : Auth module

[SQA] Create New Password: Password containing HTML/script tags fails on Sign In

Added by Aman Bhuiyan 2 months ago. Updated 15 days ago.

Status:
Pending
Priority:
High
Assignee:
Ayat Rahman
Target version:
sprint 04
Start date:
02/03/2026
Due date:
% Done:

100%

Estimated time:
Spent time:
0:15 h

Description

Description

Module/Section: Agency → Create New Password
Profile: Agency
Issue Category: Functional

On the Create New Password page, a password containing HTML/script tags can be successfully set, but the same password fails during Sign In, resulting in an incorrect password error.
This indicates inconsistent password handling and missing input sanitization between the reset and authentication flows.

Steps to Reproduce

  1. Go to Forgot Password and submit an email with an existing account.
  2. Open the verification link and navigate to Create New Password.
  3. Enter S!<script>alert(1)</script> as New Password and Confirm Password.
  4. Submit to reset the password (success message appears).
  5. Go to Sign In and attempt to log in using the same email and password.
  6. Observe the error message.

Expected Result

Passwords containing HTML/script tags should be either:

  • Rejected or sanitized consistently, or
  • If accepted, should authenticate successfully after reset.

Actual Result

The password is accepted during reset but fails during Sign In, causing an incorrect password error.

Attachments

Impact Area:

Root Cause:

Additional Info

  • Tested By: Aman
Actions
Copy link

Also available in: Atom PDF