MDL-29917 prevent form autocompletion in most Moodle forms

The password autocompletion in case of Moodle makes sense only on the login page, the form autocompletion in general is most probably useful only on the user signup page.

This patch is compatible with html 5, unfortunately we have to ignore strict warnings in legacy xhtml 1.0 standard.

lib/form/password.php

@@ -15,6 +15,16 @@ class MoodleQuickForm_password extends HTML_QuickForm_password{
      */
     var $_helpbutton='';
     function MoodleQuickForm_password($elementName=null, $elementLabel=null, $attributes=null) {
+        global $CFG;
+        if (empty($CFG->xmlstrictheaders)) {
+            // no standard mform in moodle should allow autocomplete of passwords
+            // this is valid attribute in html5, sorry, we have to ignore validation errors in legacy xhtml 1.0
+            $attributes = (array)$attributes;
+            if (!isset($attributes['autocomplete'])) {
+                $attributes['autocomplete'] = 'off';
+            }
+        }
+
         parent::HTML_QuickForm_password($elementName, $elementLabel, $attributes);
     }
     /**
@@ -48,4 +58,4 @@ function getHelpButton(){
         return $this->_helpbutton;
     }
 }
-?>
+?>

lib/form/passwordunmask.php

@@ -15,6 +15,16 @@
 class MoodleQuickForm_passwordunmask extends MoodleQuickForm_password {
 
     function MoodleQuickForm_passwordunmask($elementName=null, $elementLabel=null, $attributes=null) {
+        global $CFG;
+        if (empty($CFG->xmlstrictheaders)) {
+            // no standard mform in moodle should allow autocomplete of passwords
+            // this is valid attribute in html5, sorry, we have to ignore validation errors in legacy xhtml 1.0
+            $attributes = (array)$attributes;
+            if (!isset($attributes['autocomplete'])) {
+                $attributes['autocomplete'] = 'off';
+            }
+        }
+
         parent::MoodleQuickForm_password($elementName, $elementLabel, $attributes);
     }
 

lib/formslib.php

@@ -106,6 +106,16 @@ class moodleform {
      * @return moodleform
      */
     function moodleform($action=null, $customdata=null, $method='post', $target='', $attributes=null, $editable=true) {
+        global $CFG;
+        if (empty($CFG->xmlstrictheaders)) {
+            // no standard mform in moodle should allow autocomplete with the exception of user signup
+            // this is valid attribute in html5, sorry, we have to ignore validation errors in legacy xhtml 1.0
+            $attributes = (array)$attributes;
+            if (!isset($attributes['autocomplete'])) {
+                $attributes['autocomplete'] = 'off';
+            }
+        }
+
         if (empty($action)){
             $action = strip_querystring(qualified_me());
         }

lib/javascript-static.js

@@ -427,13 +427,14 @@ function unmaskPassword(id) {
   try {
     // first try IE way - it can not set name attribute later
     if (chb.checked) {
-      var newpw = document.createElement('<input type="text" name="'+pw.name+'">');
+      var newpw = document.createElement('<input type="text" autocomplete="off" name="'+pw.name+'">');
     } else {
-      var newpw = document.createElement('<input type="password" name="'+pw.name+'">');
+      var newpw = document.createElement('<input type="password" autocomplete="off" name="'+pw.name+'">');
     }
     newpw.attributes['class'].nodeValue = pw.attributes['class'].nodeValue;
   } catch (e) {
     var newpw = document.createElement('input');
+    newpw.setAttribute('autocomplete', 'off');
     newpw.setAttribute('name', pw.name);
     if (chb.checked) {
       newpw.setAttribute('type', 'text');

login/signup.php

@@ -26,7 +26,7 @@ function signup_captcha_enabled() {
     //HTTPS is potentially required in this page
     httpsrequired();
 
-    $mform_signup = new login_signup_form();
+    $mform_signup = new login_signup_form(null, null, 'post', '', array('autocomplete'=>'on'));
 
     if ($mform_signup->is_cancelled()) {
         redirect($CFG->httpswwwroot.'/login/index.php');