Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make links in the login page visually obvious #11474

Open
wants to merge 1 commit into
base: dev
Choose a base branch
from

Conversation

oussama-taoufiq
Copy link

@oussama-taoufiq oussama-taoufiq commented Dec 27, 2024

Page / Screen Title
Defect Dojo login
Page URL / Screen ID
https://demo.defectdojo.org
Error Title
Creating links that are not visually evident without color vision
Error Severity
Serious
Status
Fail
Accessibility Issue
[Description of issue] "I forgot my password" and "I forgot my username" are links without underline and its not visually evident without color vision.

[Impact on users] Users may not know that they are links and can be misleading.

[Pattern] Within the login page.

[Sample of code] <a id="reset-password" href="/password_reset/">I forgot my password</a>

Remediation
[Recommendation]
Please remove styles on the hyperlinks so that it is visually easy to know that its an hyperlink.

[Additional Resources]
https://www.w3.org/WAI/WCAG21/Techniques/failures/F73
https://www.w3.org/WAI/WCAG21/Techniques/general/G182

"I forgot my password" and "I forgot my username" are links without underline and its not visually evident without color vision.
@github-actions github-actions bot added the ui label Dec 27, 2024
Copy link

DryRun Security Summary

The pull request focuses on cosmetic changes to the login template's "forgot password" and "forgot username" links while emphasizing the importance of reviewing the authentication system's security implementation across multiple providers.

Expand for full summary

Summary:

The provided code changes are focused on modifying the appearance of the "I forgot my password" and "I forgot my username" links in the Django template file dojo/templates/dojo/login.html. While these changes are primarily cosmetic, it's important to review the overall implementation of the login functionality and the integration with various authentication providers from a security perspective.

From a security standpoint, the changes do not introduce any obvious vulnerabilities. However, it's crucial to ensure that the password reset and username retrieval processes do not reveal sensitive information that could be used by an attacker, and that these functionalities are properly rate-limited and authenticated to prevent unauthorized access. Additionally, the implementation of the various authentication providers (Google, OKTA, Azure AD, GitLab, Auth0, Keycloak, GitHub Enterprise, and SAML2) should be reviewed to ensure they are properly configured and integrated securely into the application. Finally, the application should be thoroughly tested for common web application vulnerabilities, such as Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and others, to maintain a secure user authentication system.

Files Changed:

  • dojo/templates/dojo/login.html: This file is a Django template that handles the login functionality of the application. The changes made in this pull request modify the appearance of the "I forgot my password" and "I forgot my username" links by adding a custom CSS style to the <a> tags. While these changes are primarily cosmetic, it's important to review the overall implementation of the login functionality and the integration with various authentication providers from a security perspective.

Code Analysis

We ran 9 analyzers against 1 file and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Configured Codepaths Analyzer 1 finding

Overall Riskiness

🔴 Risk threshold exceeded.

We've notified @mtesauro, @grendel513.

View PR in the DryRun Dashboard.

@oussama-taoufiq
Copy link
Author

@mtesauro, @grendel513
The changes to the dojo/templates/dojo/login.html file change the appearance of the two links to be more visible for accessibility reasons and do not affect how authentication works.
Does using inline styling cause any problem? If I use external CSS file for my changes will be better?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant