Browse files

MDL-29917 prevent form autocompletion in most Moodle forms

The password autocompletion in case of Moodle makes sense only on the login page, the form autocompletion in general is most probably useful only on the user signup page.

This patch is compatible with html 5, unfortunately we have to ignore strict warnings in legacy xhtml 1.0 standard.
  • Loading branch information...
1 parent ea5534f commit 43625959f72f0312f0a956f7229f5032316de3f7 @skodak skodak committed Dec 30, 2011
Showing with 35 additions and 4 deletions.
  1. +11 −1 lib/form/password.php
  2. +10 −0 lib/form/passwordunmask.php
  3. +10 −0 lib/formslib.php
  4. +3 −2 lib/javascript-static.js
  5. +1 −1 login/signup.php
View
12 lib/form/password.php
@@ -15,6 +15,16 @@ class MoodleQuickForm_password extends HTML_QuickForm_password{
*/
var $_helpbutton='';
function MoodleQuickForm_password($elementName=null, $elementLabel=null, $attributes=null) {
+ global $CFG;
+ if (empty($CFG->xmlstrictheaders)) {
+ // no standard mform in moodle should allow autocomplete of passwords
+ // this is valid attribute in html5, sorry, we have to ignore validation errors in legacy xhtml 1.0
+ $attributes = (array)$attributes;
+ if (!isset($attributes['autocomplete'])) {
+ $attributes['autocomplete'] = 'off';
+ }
+ }
+
parent::HTML_QuickForm_password($elementName, $elementLabel, $attributes);
}
/**
@@ -48,4 +58,4 @@ function getHelpButton(){
return $this->_helpbutton;
}
}
-?>
+?>
View
10 lib/form/passwordunmask.php
@@ -15,6 +15,16 @@
class MoodleQuickForm_passwordunmask extends MoodleQuickForm_password {
function MoodleQuickForm_passwordunmask($elementName=null, $elementLabel=null, $attributes=null) {
+ global $CFG;
+ if (empty($CFG->xmlstrictheaders)) {
+ // no standard mform in moodle should allow autocomplete of passwords
+ // this is valid attribute in html5, sorry, we have to ignore validation errors in legacy xhtml 1.0
+ $attributes = (array)$attributes;
+ if (!isset($attributes['autocomplete'])) {
+ $attributes['autocomplete'] = 'off';
+ }
+ }
+
parent::MoodleQuickForm_password($elementName, $elementLabel, $attributes);
}
View
10 lib/formslib.php
@@ -106,6 +106,16 @@ class moodleform {
* @return moodleform
*/
function moodleform($action=null, $customdata=null, $method='post', $target='', $attributes=null, $editable=true) {
+ global $CFG;
+ if (empty($CFG->xmlstrictheaders)) {
+ // no standard mform in moodle should allow autocomplete with the exception of user signup
+ // this is valid attribute in html5, sorry, we have to ignore validation errors in legacy xhtml 1.0
+ $attributes = (array)$attributes;
+ if (!isset($attributes['autocomplete'])) {
+ $attributes['autocomplete'] = 'off';
+ }
+ }
+
if (empty($action)){
$action = strip_querystring(qualified_me());
}
View
5 lib/javascript-static.js
@@ -427,13 +427,14 @@ function unmaskPassword(id) {
try {
// first try IE way - it can not set name attribute later
if (chb.checked) {
- var newpw = document.createElement('<input type="text" name="'+pw.name+'">');
+ var newpw = document.createElement('<input type="text" autocomplete="off" name="'+pw.name+'">');
} else {
- var newpw = document.createElement('<input type="password" name="'+pw.name+'">');
+ var newpw = document.createElement('<input type="password" autocomplete="off" name="'+pw.name+'">');
}
newpw.attributes['class'].nodeValue = pw.attributes['class'].nodeValue;
} catch (e) {
var newpw = document.createElement('input');
+ newpw.setAttribute('autocomplete', 'off');
newpw.setAttribute('name', pw.name);
if (chb.checked) {
newpw.setAttribute('type', 'text');
View
2 login/signup.php
@@ -26,7 +26,7 @@ function signup_captcha_enabled() {
//HTTPS is potentially required in this page
httpsrequired();
- $mform_signup = new login_signup_form();
+ $mform_signup = new login_signup_form(null, null, 'post', '', array('autocomplete'=>'on'));
if ($mform_signup->is_cancelled()) {
redirect($CFG->httpswwwroot.'/login/index.php');

0 comments on commit 4362595

Please sign in to comment.