Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#47733] - [5.4] Installer silently trims leading and trailing spaces from admin passwords

No Code Attached Yet bug
avatar krishnagandhicode
krishnagandhicode
4 May 2026

What happened?

found while testing #46173

Steps to reproduce:
on a fresh Joomla installation
At the Super User setup step type or paste a password that has a space at the end eg " mypasswordis " (it has space in begining and a space in ending)
finish the installation process
now on the admin login page
Try to log in with the exact password you just used (including the space) or use your password manager like in video shared.

Version

5.4

Expected result

show a warning message that leading and trailing spaces were removed.

Actual result

The installer form silently trims the trailing/leading spaces before saving to the database, but doesn't warn the user.

558994276-fb2ddb30-2d04-4628-9fb5-8162bd5b4765.mp4
Image

System Information

No response

Additional Comments

No response

avatar krishnagandhicode krishnagandhicode - open - 4 May 2026
avatar joomla-cms-bot joomla-cms-bot - change - 4 May 2026
Labels Added: No Code Attached Yet bug
avatar joomla-cms-bot joomla-cms-bot - labeled - 4 May 2026
avatar brianteeman
brianteeman - comment - 4 May 2026

I might be wrong but I seem to recall that this trim was specifically requested.

avatar LadySolveig
LadySolveig - comment - 5 May 2026

@brianteeman That’s absolutely right, you’re not mistaken. However, as it isn’t obvious to the user and, as @krishnagandhicode mentioned, happens silently later on, it can simply be very confusing if the browser offers to save the password at this point and we only ‘manipulate’ it later, meaning the user can’t log in with their saved password. Krishna separated these as an additional Issue intentionally, as the first fix is more of a functional nature and this one is a UX fix.

avatar LadySolveig
LadySolveig - comment - 5 May 2026

@brianteeman That’s absolutely right, you’re not mistaken. However, as it isn’t obvious to the user and, as @krishnagandhicode mentioned, happens silently later on, it can simply be very confusing if the browser offers to save the password at this point and we only ‘manipulate’ it later, meaning the user can’t log in with their saved password. Krishna separated these as an additional Issue intentionally, as the first fix is more of a functional nature and this one is a UX issue.

avatar LadySolveig
LadySolveig - comment - 5 May 2026

@brianteeman That’s absolutely right, you’re not mistaken. However, as it isn’t obvious to the user and, as @krishnagandhicode mentioned, happens silently later on. It can simply be very confusing if the browser offers to save the password at this point and we only ‘manipulate’ it later, meaning the user can’t log in with their saved password. Krishna separated these as an additional Issue intentionally, as the first fix is more of a functional nature and this one is a UX issue.

avatar LadySolveig
LadySolveig - comment - 5 May 2026

@brianteeman That’s absolutely right, you’re not mistaken. However, as it isn’t obvious to the user and, as @krishnagandhicode mentioned, happens silently later on. It can simply be very confusing if the browser offers to save the password at this point and we only ‘manipulate’ it later, meaning the user can’t log in with their saved password. Krishna separated this as an additional Issue intentionally, as the first fix is more of a functional nature and this one is a UX issue.

avatar alikon
alikon - comment - 5 May 2026

as a follow-up of yesterday bug squad meeting and this discussion please check 4f24113 where i've added an info about spaces

Image
avatar krishnagandhicode krishnagandhicode - change - 5 May 2026
The description was changed
avatar krishnagandhicode krishnagandhicode - edited - 5 May 2026

Add a Comment

Login with GitHub to post a comment