DevEx fails to submit if password contains output characters

Bug
When submitting a DevEx request with a password that contains output characters, the DevEx submission will fail. Before being able to submit my request, I had to change my password to remove any special characters. In addition, the page will look like this:

Steps to Reproduce

  1. Change your password to contain output characters (", ', /, (, ), &)
  2. Attempt to submit a fully valid DevEx request with your new account password
2 Likes

I believe this is ROBLOX trying to clean strings from XSS, it is very understandable as this is the DevEx page, and they don’t want anything going wrong, but discouragement of keeping your password as secure as possible isn’t good (especially if you’re a developer that might be DevExing). I hope this is fixed.

2 Likes

You might want to refine your repro steps. Not just any special character, I think it’s specifically < and >.

Successfully Dev ex’d with other characters such as @$* as those won’t be recognised as XSS.

1 Like

Yes, I agree. Those characters are the ones that their XSS finder looks for before redirecting you, because they can be used to create tags like script tags, which in some scenarios, could be bad for users.

Pretty sure that “cryptic” page has existed for an extremely long time (since the beginning?). If mitigation smarter than panicking when an angle bracket appears isn’t going to happen, these characters should be forbidden in new passwords.

6 Likes

I can confirm this, I was playing around in the search box a long time ago with special characters and I got the error page, same as that one as far as I know.

Page has existed since at last the early 2010s (that’s when I first saw it) and it hasn’t changed. I have to imagine it’s been basically left alone like other older pages.

1 Like

The problem here has nothing to do with the “cryptic” page, and these characters at no point should ever be forbidden in passwords.

Rather, engineers need to update the back-end of the DevEx submission handler to properly validate inputs from the DevEx form.

1 Like

Thanks for the report. We are investigating.

4 Likes