From 46ec1f2b791940e955401446bccd27360ed2c82b Mon Sep 17 00:00:00 2001
From: Robin Munn <rmunn@pobox.com>
Date: Mon, 15 Jan 2024 14:11:14 +0700
Subject: [PATCH] Forbid colon from appearing in passwords

Colon (:) can, if not quoted properly, confuse HTTP URLs with user:pass.
---
 frontend/src/lib/forms/utils.ts       | 2 +-
 frontend/src/lib/i18n/locales/en.json | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/frontend/src/lib/forms/utils.ts b/frontend/src/lib/forms/utils.ts
index 9823c167f..ad20c8929 100644
--- a/frontend/src/lib/forms/utils.ts
+++ b/frontend/src/lib/forms/utils.ts
@@ -14,7 +14,7 @@ export function tryParse<T, ValidT>(zodType: ZodType<ValidT>, value: T): ValidT
 export function passwordFormRules($t: Translater): z.ZodString {
   return z.string()
     .min(4, $t('form.password.too_short'))
-    .regex(/^[^&%+]+$/, $t('form.password.forbidden_characters'));
+    .regex(/^[^&%:+]+$/, $t('form.password.forbidden_characters'));
 }
 
 export function emptyString(): z.ZodString {
diff --git a/frontend/src/lib/i18n/locales/en.json b/frontend/src/lib/i18n/locales/en.json
index 3ae709506..b46ea7881 100644
--- a/frontend/src/lib/i18n/locales/en.json
+++ b/frontend/src/lib/i18n/locales/en.json
@@ -345,7 +345,7 @@ the [Linguistics Institute at Payap University](https://li.payap.ac.th/) in Chia
   },
   "form": {
     "password": {
-      "forbidden_characters": "The symbols &, +, and % are not allowed in passwords",
+      "forbidden_characters": "The symbols &, +, :, and % are not allowed in passwords",
       "too_short": "Must be at least 4 characters"
     }
   },