BUG #4238
Updated by Aman Bhuiyan 2 months ago
### Description **Module/Section:** Agency → Create New Password **Profile:** Agency **Issue Category:** Functional On the **Create New Password** page, a password containing **HTML/script tags** can be successfully set, but the same password **fails during Sign In**, resulting in an **incorrect password error**. This indicates **inconsistent password handling** and **missing input sanitization** between the reset and authentication flows. ### Steps to Reproduce 1. Go to **Forgot Password** and submit an email with an existing account. 2. Open the verification link and navigate to **Create New Password**. 3. Enter `S!<script>alert(1)</script>` as **New Password** and **Confirm Password**. 4. Submit to reset the password (**success message appears**). 5. Go to **Sign In** and attempt to log in using the same email and password. 6. Observe the **error message**. ### Expected Result Passwords containing **HTML/script tags** should be either: - **Rejected or sanitized consistently**, or - If accepted, should **authenticate successfully** after reset. ### Actual Result The password is **accepted during reset** but **fails during Sign In**, causing an incorrect password error. ### Attachments - [PoC](https://drive.google.com/file/d/1V-yHuveq9z3adNlIAG6vdeuhTf0VMOne/view?usp=sharing) [PoC](https://drive.google.com/file/d/1lsNfQcWTKdNBfTTkC09HaYQB5iKx2IMg/view?usp=sharing) --- ### Impact Area: ### Root Cause: --- ### Additional Info - Tested By: Aman