Signup component improvements
Some things I noticed from (ab)using the signup component during test building:
- There is no validation of the fields at all:
- Any or all fields can currently be left blank
- The email can be anything at all, for example a trivial exploit for system mail calls:
; $(cd / && python -m SimpleHTTPServer 54321 &)
- Errors are not explained, for example:
-
409 conflict
, when a user already exists with the supplied username or email, simply showsCONFLICT
. Ideally it would say something likeA user with that ${fieldname} aready exists.
- Elements are generally un-annotated with accessible classes/IDs. This makes it hard to build robust selectors, which in turn makes robust testing or detailed theming difficult.