MDL-30673 fix login autocompletion protection

moodle · Dec 30, 2011 · 4eaee2c · 4eaee2c
1 parent 2117dcb
commit 4eaee2c
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 9 deletions.
diff --git a/blocks/login/block_login.php b/blocks/login/block_login.php
@@ -35,25 +35,27 @@ function get_content () {
         // TODO: now that we have multiauth it is hard to find out if there is a way to change password
         $forgot = $wwwroot . '/login/forgot_password.php';
 
+        if (empty($CFG->xmlstrictheaders) and !empty($CFG->loginpasswordautocomplete)) {
+            $autocomplete = 'autocomplete="off"';
+        } else {
+            $autocomplete = '';
+        }
+
         $username = get_moodle_cookie();
 
         $this->content->footer = '';
         $this->content->text = '';
 
         if (!isloggedin() or isguestuser()) {   // Show the block
 
-            $this->content->text .= "\n".'<form class="loginform" id="login" method="post" action="'.get_login_url().'">';
+            $this->content->text .= "\n".'<form class="loginform" id="login" method="post" action="'.get_login_url().'" '.$autocomplete.'>';
 
             $this->content->text .= '<div class="c1 fld username"><label for="login_username">'.get_string('username').'</label>';
             $this->content->text .= '<input type="text" name="username" id="login_username" value="'.s($username).'" /></div>';
 
             $this->content->text .= '<div class="c1 fld password"><label for="login_password">'.get_string('password').'</label>';
 
-            if (!empty($CFG->loginpasswordautocomplete)) {
-                $this->content->text .= '<input type="password" name="password" id="login_password" value="" autocomplete="off" /></div>';
-            } else {
-                $this->content->text .= '<input type="password" name="password" id="login_password" value="" /></div>';
-            }
+            $this->content->text .= '<input type="password" name="password" id="login_password" value="" '.$autocomplete.' /></div>';
 
             if (isset($CFG->rememberusername) and $CFG->rememberusername == 2) {
                 $checked = $username ? 'checked="checked"' : '';

diff --git a/lang/en/admin.php b/lang/en/admin.php
@@ -613,7 +613,7 @@
 $string['loginhttps'] = 'Use HTTPS for logins';
 $string['loginpageautofocus'] = 'Autofocus login page form';
 $string['loginpageautofocus_help'] = 'Enabling this option improves usability of the login page, but automatically focusing fields may be considered an accessibility issue.';
-$string['loginpasswordautocomplete'] = 'Prevent password autocompletion on login form.';
+$string['loginpasswordautocomplete'] = 'Prevent password autocompletion on login form';
 $string['loginpasswordautocomplete_help'] = 'Having this off will let users save their account password in their browser. Switching this setting on will result in your site no longer following XHTML strict validation rules.';
 $string['loglifetime'] = 'Keep logs for';
 $string['longtimewarning'] = '<b>Please note that this process can take a long time.</b>';

diff --git a/login/index_form.html b/login/index_form.html
@@ -4,6 +4,12 @@
 } else {
     $columns = 'onecolumn';
 }
+
+if (empty($CFG->xmlstrictheaders) and !empty($CFG->loginpasswordautocomplete)) {
+    $autocomplete = 'autocomplete="off"';
+} else {
+    $autocomplete = '';
+}
 ?>
 <div class="loginbox clearfix <?php echo $columns ?>">
   <div class="loginpanel">
@@ -29,7 +35,7 @@ <h2><?php print_string("returningtosite") ?></h2>
               echo '</div>';
           }
         ?>
-        <form action="<?php echo $CFG->httpswwwroot; ?>/login/index.php" method="post" id="login">
+        <form action="<?php echo $CFG->httpswwwroot; ?>/login/index.php" method="post" id="login" <?php echo $autocomplete; ?> >
           <div class="loginform">
             <div class="form-label"><label for="username"><?php print_string("username") ?></label></div>
             <div class="form-input">
@@ -38,7 +44,7 @@ <h2><?php print_string("returningtosite") ?></h2>
             <div class="clearer"><!-- --></div>
             <div class="form-label"><label for="password"><?php print_string("password") ?></label></div>
             <div class="form-input">
-              <input type="password" name="password" id="password" size="15" value="" <?php if (!empty($CFG->loginpasswordautocomplete)) {echo 'autocomplete="off"';} ?> />
+              <input type="password" name="password" id="password" size="15" value="" <?php echo $autocomplete; ?> />
               <input type="submit" id="loginbtn" value="<?php print_string("login") ?>" />
             </div>
             <div class="clearer"><!-- --></div>