From 23831686bb2e360dc247d47ca7a60f593bb6dc86 Mon Sep 17 00:00:00 2001
From: Andrew Ruthven <puck@catalyst.net.nz>
Date: Wed, 11 Aug 2021 21:40:03 +1200
Subject: [PATCH] Don't escape HTML characters in the password.

We allow them when users set their passwords, and no doubt allowed
from LDAP and other external sources. We should allow them to be
entered. Closes #229.
---
 htdocs/always.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/always.php b/htdocs/always.php
index f37b939f..63be3b0d 100644
--- a/htdocs/always.php
+++ b/htdocs/always.php
@@ -10,7 +10,7 @@ if ( preg_match('{/always.php$}', $_SERVER['SCRIPT_NAME'] ) ) header('Location:
 
 // XSS Protection
 function filter_post(&$val, $index) {
-    if(in_array($index, ["newpass1", "newpass2"])) return;
+    if(in_array($index, ["newpass1", "newpass2", "password"])) return;
 
     switch (gettype($val)) {
         case "string":