From d47d3d6289a29d9323b885e373e435692ff38799 Mon Sep 17 00:00:00 2001 From: Tim Bongers <117283193+tbongers-cat@users.noreply.github.com> Date: Fri, 18 Aug 2023 14:27:57 +0200 Subject: [PATCH] UI/Init: Add autocomplete="off" for password fields (#6149) --- Services/Init/classes/class.ilStartUpGUI.php | 2 +- src/UI/Component/Input/Field/Factory.php | 6 +++++ .../templates/default/Input/tpl.password.html | 2 +- .../Input/Field/PasswordInputTest.php | 27 +++++++++---------- 4 files changed, 21 insertions(+), 16 deletions(-) diff --git a/Services/Init/classes/class.ilStartUpGUI.php b/Services/Init/classes/class.ilStartUpGUI.php index adfb5fe3ae9c..d14c775e44a5 100755 --- a/Services/Init/classes/class.ilStartUpGUI.php +++ b/Services/Init/classes/class.ilStartUpGUI.php @@ -529,7 +529,7 @@ protected function initStandardLoginForm(): ilPropertyFormGUI $pi->setRetype(false); $pi->setSkipSyntaxCheck(true); $pi->setSize(20); - $pi->setDisableHtmlAutoComplete(false); + $pi->setDisableHtmlAutoComplete(true); $pi->setRequired(true); $form->addItem($pi); diff --git a/src/UI/Component/Input/Field/Factory.php b/src/UI/Component/Input/Field/Factory.php index 675eaf5ba801..41a940bfd398 100644 --- a/src/UI/Component/Input/Field/Factory.php +++ b/src/UI/Component/Input/Field/Factory.php @@ -320,6 +320,12 @@ public function tag(string $label, array $tags, ?string $byline = null): Tag; * rules: * usage: * 1: Password Input MUST be used for passwords. + * composition: + * 1: > + * The input MUST always be rendered with the attribute autocomplete="off". + * This advises browsers to NOT autofill the input field with cached passwords + * and avoids potential exposure of confidential data, especially in + * shared environments. * interaction: * 1: > * Password Input SHOULD NOT limit the number of characters. diff --git a/src/UI/templates/default/Input/tpl.password.html b/src/UI/templates/default/Input/tpl.password.html index 93e0f244cc13..2da5448c6c5c 100644 --- a/src/UI/templates/default/Input/tpl.password.html +++ b/src/UI/templates/default/Input/tpl.password.html @@ -1,5 +1,5 @@
- value="{VALUE}" {DISABLED} class="form-control form-control-sm" /> + value="{VALUE}" {DISABLED} class="form-control form-control-sm" autocomplete="off" /> {PASSWORD_REVEAL} diff --git a/tests/UI/Component/Input/Field/PasswordInputTest.php b/tests/UI/Component/Input/Field/PasswordInputTest.php index 42be92be1a57..9f2c72316f05 100644 --- a/tests/UI/Component/Input/Field/PasswordInputTest.php +++ b/tests/UI/Component/Input/Field/PasswordInputTest.php @@ -1,7 +1,5 @@ getDefaultRenderer(); $expected = '
- +
- +
-
'.$byline.'
+
' . $byline . '
'; $this->assertHTMLEquals($expected, $r->render($pwd)); @@ -116,7 +115,7 @@ public function test_render_error(): void
-
+
byline
'); @@ -134,10 +133,10 @@ public function test_render_no_byline(): void $r = $this->getDefaultRenderer(); $expected = '
- +
- +
'; @@ -155,10 +154,10 @@ public function test_render_value(): void $r = $this->getDefaultRenderer(); $expected = '
- +
- +
'; @@ -177,10 +176,10 @@ public function test_render_required(): void $expected = '
- +
- +
'; @@ -199,10 +198,10 @@ public function test_render_disabled(): void $expected = '
- +
- +
';