Permalink
Browse files

MDL-29917 prevent form autocompletion in most Moodle forms

The password autocompletion in case of Moodle makes sense only on the login page, the form autocompletion in general is most probably useful only on the user signup page.

This patch is compatible with html 5, unfortunately we have to ignore strict warnings in legacy xhtml 1.0 standard.
  • Loading branch information...
1 parent 8376475 commit a36e38be7f97b49f7aa5ae73cf027781cf912263 @skodak skodak committed with Sam Hemelryk Dec 30, 2011
Showing with 33 additions and 4 deletions.
  1. +10 −0 lib/form/password.php
  2. +9 −1 lib/form/passwordunmask.php
  3. +10 −0 lib/formslib.php
  4. +3 −2 lib/javascript-static.js
  5. +1 −1 login/signup.php
View
@@ -15,6 +15,16 @@ class MoodleQuickForm_password extends HTML_QuickForm_password{
*/
var $_helpbutton='';
function MoodleQuickForm_password($elementName=null, $elementLabel=null, $attributes=null) {
+ global $CFG;
+ if (empty($CFG->xmlstrictheaders)) {
+ // no standard mform in moodle should allow autocomplete of passwords
+ // this is valid attribute in html5, sorry, we have to ignore validation errors in legacy xhtml 1.0
+ $attributes = (array)$attributes;
+ if (!isset($attributes['autocomplete'])) {
+ $attributes['autocomplete'] = 'off';
+ }
+ }
+
parent::HTML_QuickForm_password($elementName, $elementLabel, $attributes);
}
/**
@@ -15,6 +15,15 @@
class MoodleQuickForm_passwordunmask extends MoodleQuickForm_password {
function MoodleQuickForm_passwordunmask($elementName=null, $elementLabel=null, $attributes=null) {
+ global $CFG;
+ if (empty($CFG->xmlstrictheaders)) {
+ // no standard mform in moodle should allow autocomplete of passwords
+ // this is valid attribute in html5, sorry, we have to ignore validation errors in legacy xhtml 1.0
+ $attributes = (array)$attributes;
+ if (!isset($attributes['autocomplete'])) {
+ $attributes['autocomplete'] = 'off';
+ }
+ }
parent::MoodleQuickForm_password($elementName, $elementLabel, $attributes);
}
@@ -25,7 +34,6 @@ function toHtml() {
return $this->getFrozenHtml();
} else {
$unmask = get_string('unmaskpassword', 'form');
- $this->updateAttributes(array('autocomplete' => 'off'));
//Pass id of the element, so that unmask checkbox can be attached.
$PAGE->requires->yui_module('moodle-form-passwordunmask', 'M.form.passwordunmask',
array(array('formid' => $this->getAttribute('id'), 'checkboxname' => $unmask)));
View
@@ -139,6 +139,16 @@ function form_init_date_js() {
* @return object moodleform
*/
function moodleform($action=null, $customdata=null, $method='post', $target='', $attributes=null, $editable=true) {
+ global $CFG;
+ if (empty($CFG->xmlstrictheaders)) {
+ // no standard mform in moodle should allow autocomplete with the exception of user signup
+ // this is valid attribute in html5, sorry, we have to ignore validation errors in legacy xhtml 1.0
+ $attributes = (array)$attributes;
+ if (!isset($attributes['autocomplete'])) {
+ $attributes['autocomplete'] = 'off';
+ }
+ }
+
if (empty($action)){
$action = strip_querystring(qualified_me());
}
View
@@ -920,13 +920,14 @@ function unmaskPassword(id) {
try {
// first try IE way - it can not set name attribute later
if (chb.checked) {
- var newpw = document.createElement('<input type="text" name="'+pw.name+'">');
+ var newpw = document.createElement('<input type="text" autocomplete="off" name="'+pw.name+'">');
} else {
- var newpw = document.createElement('<input type="password" name="'+pw.name+'">');
+ var newpw = document.createElement('<input type="password" autocomplete="off" name="'+pw.name+'">');
}
newpw.attributes['class'].nodeValue = pw.attributes['class'].nodeValue;
} catch (e) {
var newpw = document.createElement('input');
+ newpw.setAttribute('autocomplete', 'off');
newpw.setAttribute('name', pw.name);
if (chb.checked) {
newpw.setAttribute('type', 'text');
View
@@ -43,7 +43,7 @@
$PAGE->set_url('/login/signup.php');
$PAGE->set_context(get_context_instance(CONTEXT_SYSTEM));
-$mform_signup = new login_signup_form();
+$mform_signup = new login_signup_form(null, null, 'post', '', array('autocomplete'=>'on'));
if ($mform_signup->is_cancelled()) {
redirect(get_login_url());

0 comments on commit a36e38b

Please sign in to comment.