Log Injection.go should probably not log plaintext passwords

Hi, just noticed that the usability test explicitly logs passwords in plaintext, which probably isn’t secure:

Is this an issue? Or is this more of a “contrived” challenge that is focused on malicious chars in logfiles?

You have hit the nail on the head with this being a contrived challenge focusing on malicious characters / statements being written to log files and the potential consequences of allowing malicious character sequences to be handled by a vulnerable application.

In a real-world scenario plaintext passwords ideally would not be exposed or logged at any point.