Have a password with extended ASCII characters. e.g.:
- Go to “edit” in my settings.
- I enter my current password to change it (which I know is correct, as I could log in seconds ago)
- I enter “New password” and the confirmation.
- I click “Change Password”
The password changes
The current password is invalid.
My running hypothesis is that every form that is not the main login is sending the password note encoded with the appropriate encoding.
This is what I think is happening:
> urllib.parse.quote_plus(u"£".encode("latin-1")) '%A3' > urllib.parse.quote_plus(u"£") '%C2%A3'