-- JS function for Step #3: function doesPWContainIllegalChars(arrFields) { var re = /[&][#]/;//regex to check for &# pattern for (var i = 0; i < arrFields.length; i++) { if (arrFields[i].name.length > 0 && arrFields[i].value.length > 0){//make sure field exists if (arrFields[i].value.includes("<") || re.test(arrFields[i].value)) {// check arrFields[i].focus(); return true; } } } return false; } -- JS Function for Step #6 var g_bUseHIBP = true; function checkHIBP(pwfldID, thediv, funcContinue) { // SHA-1 the password var pw = document.getElementById(pwfldID).value; if ("" == pw) { // Allow PG to handle blank passwords as usual funcContinue(); return; } try { var res = sha1.create(); res.update(pw); var hash = res.hex().toUpperCase(); var prefix = hash.substring(0, 5); var suffix = hash.substring(5); // Call the API var url = "https://api.pwnedpasswords.com/range/" + prefix; $.get(url, function(data, status){ var fld = "", msg = ""; if ("success" == status) { if (data.indexOf(suffix) > 0) { msg = showError("Unsafe Password", "This password has been exposed in a prior data breach, please choose a different password."); fld = pwfldID; } else { setTimeout(funcContinue, 10); } } else { msg = showSuccess("Error", "Unexpected HTTP status code: " + status); } setElemContentDirect(msg, thediv); if (fld.length > 0) { try { document.getElementById(fld).focus(); document.getElementById(fld).select(); document.getElementById(fld).className= g_defInputClass + " errorfield"; } catch (e) {} } // 2019-09-24 - Re-display quality rules if configured to do so! if (g_bPremptivePWRules && g_bRealtimePWQuality && g_objPWQuality) g_bRecreatePWQualMsg = true; }); } catch (e) { console.log(formatException("checkHIBP()", e)); } } -- JS Function for Step #7 function preResetPasswordHandler(frm, thediv) { if (null != frm.SSStep && "5" == frm.SSStep.value) { // Ensure the password doesn't contain anything that IIS will reject as code injection if (doesPWContainIllegalChars(frm, true)) { setElemContentDirect(getNewPWHasIllegalCharsMsg(), thediv); return false; } if (g_bUseHIBP && null != frm.SSAction && "2" == frm.SSAction.value) { checkHIBP("SSNewPassword", thediv, function() { doWSPAuth(frm, thediv); }); return false; // This function is async so always prevent the initial submittal } } return true; } -- JS Function for Step #8 function preSetPasswordHandler(frm, thediv) { if (null != frm.PWChangeStep) { var bPrevent = false; if ("5" == frm.PWChangeStep.value) { // Ensure the password doesn't contain anything that IIS will reject as code injection if (doesPWContainIllegalChars([ frm[DEF_FLD_NEWPW], frm[DEF_FLD_CONFPW] ])) bPrevent = true; if (g_bUseHIBP) { checkHIBP("NewPassword", thediv, function() { doWSPAuth(frm, thediv); }); return false; // This function is async so always prevent the initial submittal } } else { if (doesPWContainIllegalChars([ frm[DEF_FLD_PASSWORD] ])) bPrevent = true; } if (bPrevent) { setElemContentDirect(getNewPWHasIllegalCharsMsg(), thediv); return false; } } return true; }