[TASK] Mitigate browser "spell jacking" in form elements

Having manually(!) enabled "enhanced spell checking" in browsers, can lead to scenarios where password data is sent to remote services which actually take care of the spell checking. see https://www.otto-js.com/news/article/chrome-and-edge-enhanced-spellcheck-features-expose-pii-even-your-passwords Since this issue is caused by browsers and the determination of "confidentiality" is fuzzy here, this issue is handled in public. Following changes have been applied: + forms dealing mainly with credentials, as well as all forms in ext:install have been adjusted to `<form ... spellcheck="false">` + other password form elements, including TCA type `password` have been adjusted to `<input type="password" ... spellcheck="false">` Resolves: #98492 Releases: main Change-Id: I32cab686040e09fb491a93187a3c1b196e7cf1bf Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75930 Tested-by: core-ci <typo3@b13.com> Tested-by: Georg Ringer <georg.ringer@gmail.com> Tested-by: Benjamin Franzke <bfr@qbus.de> Reviewed-by: Torben Hansen <derhansen@gmail.com> Reviewed-by: Georg Ringer <georg.ringer@gmail.com> Reviewed-by: Benjamin Franzke <bfr@qbus.de>
TYPO3 · Oct 1, 2022 · 2d863f9 · 2d863f9
1 parent 7112562
commit 2d863f9
Show file tree

Hide file tree

Showing 15 changed files with 18 additions and 13 deletions.
diff --git a/typo3/sysext/backend/Classes/Form/Element/PasswordElement.php b/typo3/sysext/backend/Classes/Form/Element/PasswordElement.php
@@ -88,6 +88,7 @@ public function render()
         $attributes = [
             'value' => '',
             'id' => $fieldId,
+            'spellcheck' => 'false',
             'class' => implode(' ', [
                 'form-control',
                 't3js-clearable',

diff --git a/typo3/sysext/backend/Resources/Private/Layouts/Login.html b/typo3/sysext/backend/Resources/Private/Layouts/Login.html
@@ -43,7 +43,7 @@ <h1 class="visually-hidden"><f:translate key="LLL:EXT:backend/Resources/Private/
                                     <f:be.infobox message="{f:translate(key: 'LLL:EXT:backend/Resources/Private/Language/locallang.xlf:login.error.referrer')}" state="2" />
                                 </div>
                                 <div class="typo3-login-form t3js-login-formfields">
-                                    <form action="{formActionUrl}" method="post" name="loginform" id="typo3-login-form">
+                                    <form action="{formActionUrl}" method="post" name="loginform" id="typo3-login-form" spellcheck="false">
                                         <input type="hidden" name="login_status" value="login" />
                                         <input type="hidden" name="userident" id="t3-field-userident" class="t3js-login-userident-field" value="" />
                                         <input type="hidden" name="redirect_url" value="{redirectUrl}" />

diff --git a/typo3/sysext/backend/Resources/Private/Templates/Login/ResetPasswordForm.html b/typo3/sysext/backend/Resources/Private/Templates/Login/ResetPasswordForm.html
@@ -49,6 +49,7 @@ <h3 class="callout-title"><f:translate key="LLL:EXT:backend/Resources/Private/La
                                     autocomplete="new-password"
                                     autofocus="autofocus"
                                     required="required"
+                                    spellcheck="false"
                                 />
                                 <div role="status" class="form-notice-capslock hidden t3js-login-alert-capslock">
                                     <img
@@ -75,6 +76,7 @@ <h3 class="callout-title"><f:translate key="LLL:EXT:backend/Resources/Private/La
                                     autocomplete="off"
                                     class="form-control input-login t3js-clearable t3js-login-password-field"
                                     required="required"
+                                    spellcheck="false"
                                 />
                                 <div role="status" class="form-notice-capslock hidden t3js-login-alert-capslock">
                                     <img aria-hidden="true" src="{images.capslock}" width="14" height="14" alt="" title="{f:translate(key: 'LLL:EXT:backend/Resources/Private/Language/locallang.xlf:login.error.capslock')}" />

diff --git a/typo3/sysext/backend/Resources/Private/Templates/Login/UserPassLoginForm.html b/typo3/sysext/backend/Resources/Private/Templates/Login/UserPassLoginForm.html
@@ -26,6 +26,7 @@
                     autofocus="autofocus"
                     autocomplete="username"
                     required="required"
+                    spellcheck="false"
                 />
                 <div role="status" class="form-notice-capslock hidden t3js-login-alert-capslock">
                     <img
@@ -54,6 +55,7 @@
                     class="form-control input-login t3js-clearable t3js-login-password-field"
                     autocomplete="current-password"
                     required="required"
+                    spellcheck="false"
                 />
                 <div role="status" class="form-notice-capslock hidden t3js-login-alert-capslock">
                     <img

diff --git a/typo3/sysext/felogin/Resources/Private/Templates/Login/Login.html b/typo3/sysext/felogin/Resources/Private/Templates/Login/Login.html
@@ -20,7 +20,7 @@ <h3>
         </f:form>
     </f:then>
     <f:else>
-        <f:form target="_top" fieldNamePrefix="" action="login" requestToken="{requestToken}">
+        <f:form target="_top" fieldNamePrefix="" action="login" requestToken="{requestToken}" additionalAttributes="{spellcheck: 'false'}">
             <f:render section="content" arguments="{_all}"/>
         </f:form>
     </f:else>
@@ -46,7 +46,7 @@ <h3>
         <div>
             <label>
                 <f:translate key="password"/>
-                <f:form.password name="pass" additionalAttributes="{required: 'required', autocomplete: 'current-password'}"/>
+                <f:form.password name="pass" additionalAttributes="{required: 'required', autocomplete: 'current-password'} "/>
             </label>
         </div>
 

diff --git a/...ext/install/Resources/Private/Partials/Settings/ExtensionConfiguration/ExtensionForm.html b/...ext/install/Resources/Private/Partials/Settings/ExtensionConfiguration/ExtensionForm.html
@@ -26,7 +26,7 @@ <h3 class="panel-title">
                     </f:for>
                 </ul>
 
-                <form action="#" name="configurationform" autocomplete="off" class="t3js-extensionConfiguration-form extensionConfiguration-form" data-extensionKey="{extensionKey}">
+                <form action="#" name="configurationform" autocomplete="off" class="t3js-extensionConfiguration-form extensionConfiguration-form" data-extensionKey="{extensionKey}" spellcheck="false">
 
                     <div class="tab-content">
                         <f:for each="{extensionData}" as="subcategories" key="categoryName" iteration="iterator">

diff --git a/typo3/sysext/install/Resources/Private/Templates/BackendModule/BackendUserConfirmation.html b/typo3/sysext/install/Resources/Private/Templates/BackendModule/BackendUserConfirmation.html
@@ -36,7 +36,7 @@ <h4 class="modal-title">
                                 <f:translate key="LLL:EXT:install/Resources/Private/Language/BackendModule.xlf:sudoPasswordInvalid" />
                             </div>
                         </f:if>
-                        <form method="post" class="form" id="confirm-sudo" action="{verifyUri}">
+                        <form method="post" class="form" id="confirm-sudo" action="{verifyUri}" spellcheck="false">
                             <div class="form-group">
                                 <div class="form-control-holder">
                                     <label for="confirmationPassword">

diff --git a/typo3/sysext/install/Resources/Private/Templates/Environment/MailTest.html b/typo3/sysext/install/Resources/Private/Templates/Environment/MailTest.html
@@ -22,7 +22,7 @@
 <div class="t3js-module-content" data-mail-test-token="{mailTestToken}">
     <div class="t3js-mailTest-output"></div>
 
-    <form id="t3js-mailTest-form">
+    <form id="t3js-mailTest-form" spellcheck="false">
         <div class="form-group">
             <label for="t3-install-checkmail">Email address:</label>
             <input

diff --git a/typo3/sysext/install/Resources/Private/Templates/Installer/ShowDatabaseConnect.html b/typo3/sysext/install/Resources/Private/Templates/Installer/ShowDatabaseConnect.html
@@ -12,7 +12,7 @@ <h2>Select database</h2>
                 <div class="typo3-install-content-spacer"></div>
                 <div class="row">
                     <div class="col-md-12">
-                        <form method="post">
+                        <form method="post" spellcheck="false">
                             <div class="row justify-content-center">
                                 <div class="col-md-12 mb-3">
                                     <div class="form-floating">

diff --git a/typo3/sysext/install/Resources/Private/Templates/Installer/ShowDatabaseData.html b/typo3/sysext/install/Resources/Private/Templates/Installer/ShowDatabaseData.html
@@ -12,7 +12,7 @@ <h3>Create Administrative User & Specify Site Name</h3>
         <div class="t3js-installer-databaseData-output"></div>
         <div class="typo3-install-content-spacer"></div>
 
-        <form method="post" id="stepInstaller-databaseData" class="t3-install-form-label-before">
+        <form method="post" id="stepInstaller-databaseData" class="t3-install-form-label-before" spellcheck="false">
             <input type="hidden" value="execute" name="install[set]" />
             <div class="row">
                 <div class="col-md-6">

diff --git a/typo3/sysext/install/Resources/Private/Templates/Installer/ShowDatabaseSelect.html b/typo3/sysext/install/Resources/Private/Templates/Installer/ShowDatabaseSelect.html
@@ -16,7 +16,7 @@ <h4>Exception</h4>
             </f:for>
         </f:if>
 
-        <form method="post" id="stepInstaller-databaseSelect">
+        <form method="post" id="stepInstaller-databaseSelect" spellcheck="false">
             <div class="row">
                 <div class="col-md-6">
                     <div class="radio">

diff --git a/typo3/sysext/install/Resources/Private/Templates/Installer/ShowDefaultConfiguration.html b/typo3/sysext/install/Resources/Private/Templates/Installer/ShowDefaultConfiguration.html
@@ -19,7 +19,7 @@ <h3>Want a pre-configured site?</h3>
             </div>
         </f:if>
 
-        <form method="post">
+        <form method="post" spellcheck="false">
             <div class="form-group">
                 <f:if condition="!{composerMode}">
                     <div class="radio">

diff --git a/typo3/sysext/install/Resources/Private/Templates/Login/ShowLogin.html b/typo3/sysext/install/Resources/Private/Templates/Login/ShowLogin.html
@@ -9,7 +9,7 @@ <h1 class="logo-pageheader">
     <div class="row justify-content-center">
         <div class="col-lg-8 col-xl-6">
             <div id="t3-install-box-body" class="mb-4">
-                <form method="post" class="row align-items-end" id="t3-install-form-login" data-login-token="{loginToken}">
+                <form method="post" class="row align-items-end" id="t3-install-form-login" data-login-token="{loginToken}" spellcheck="false">
                     <div class="col-12 col-md-auto mb-2 mb-md-0">
                         <label for="t3-install-form-password">Password</label>
                         <input id="t3-install-form-password" type="password" name="install[password]" class="t3-install-form-input-text form-control" autofocus="autofocus" />

diff --git a/typo3/sysext/install/Resources/Private/Templates/Maintenance/CreateAdmin.html b/typo3/sysext/install/Resources/Private/Templates/Maintenance/CreateAdmin.html
@@ -5,7 +5,7 @@
 </p>
 
 <div class="t3js-module-content" data-create-admin-token="{createAdminToken}">
-    <form action="" id="t3js-createAdmin-form" method="post">
+    <form action="" id="t3js-createAdmin-form" method="post" spellcheck="false">
         <div class="form-group">
             <label for="t3-install-admin-username" class="control-label">Username:</label>
             <input

diff --git a/typo3/sysext/install/Resources/Private/Templates/Settings/ChangeInstallToolPassword.html b/typo3/sysext/install/Resources/Private/Templates/Settings/ChangeInstallToolPassword.html
@@ -6,7 +6,7 @@
 </p>
 
 <div class="t3js-module-content" data-install-tool-token="{changeInstallToolPasswordToken}">
-    <form action="" id="t3js-changeInstallToolPassword-form" method="post">
+    <form action="" id="t3js-changeInstallToolPassword-form" method="post" spellcheck="false">
         <div class="form-group">
             <label for="t3-install-tool-password" class="control-label">Enter new password:</label>
             <input