Should we keep this check and instead of an error show a warning that the pasted code has been trimmed?

Additionally we could also add this limitation to a help text.. 🤔

If we keep that line, this condition won’t be triggered:

if ( newPassword.length > 255 ) {
    setError( __( 'Password cannot exceed 255 characters.' ) );

This means we won’t be able to check if the character limit is exceeded. To handle that, we would need to listen for keydown and paste events in order to show an error or warning when the limit is breached.

I mean listening events won't be that straight-forward as this approach.
If your experience says that we should change the approach then lets do it 🚀.
Let me know accordingly 😇

show a warning that the pasted code has been trimmed?

Just to make things clear, the error should be converted to warning & the message should say the following right?
Password cannot exceed 255 characters \n The pasted password may have been trimmed

Yeah, I see the dilemma. It would be nice to keep the HTML attribute for compatibility. HTML validation attributes also work well with assistive technologies, improving accessibility.

There's another, low-tech option that might be better UX: just tell folks that the maximum is 255 before they enter, and reinstate the maxLenth attr.

Given that it's an edge case anyway, I don't think we need to overthink it.

Then we could just remove the error message and associated handlers.

What do folks think?

I'm likely missing a nuance (apologies) but could it make sense to use browser native UI for this? Here's an example.

This seems like a good option, provided it doesn’t impact the validation process.

Another workaround could be displaying a warning at 255 characters, indicating that any additional characters will be trimmed off. This way we can keep the warning & the maxLenth attr too.

This seems like a good option, provided it doesn’t impact the validation process.

Another workaround could be displaying a warning at 255 characters, indicating that any additional characters will be trimmed off. This way we can keep the warning & the maxLenth attr too.

@ramonjd @ntsekouras @jameskoster awaiting your feedbacks on this suggestion.

Worth a try, I think.

Keeping the max length attribute may lead to the existing problem, copying in a password 300 characters long would be trimmed to 255 but the error message would inform the user "any furtther characters will be trimmed" or whatever the string turns out to be.

The MDN recommendation is to code up validation in an accessible manner:

Browsers often don't let the user type a longer value than expected into text fields. A better user experience than just using maxlength is to also provide character count feedback in an accessible manner and let the user edit their content down to size. An example of this is the character limit when posting on social media. JavaScript, including solutions using maxlength, can be used to provide this.
-- MDN: client side form validation

Then lets skip the max length attribute & just display an error message that the password can't exceed 255 chars