Permalink
Browse files

MDL-29917 prevent form autocompletion in most Moodle forms

The password autocompletion in case of Moodle makes sense only on the login page, the form autocompletion in general is most probably useful only on the user signup page.

This patch is compatible with html 5, unfortunately we have to ignore strict warnings in legacy xhtml 1.0 standard.
  • Loading branch information...
1 parent 464ad0a commit a4478cd677ebb1a3e40040b7cf60c48099009242 @skodak skodak committed Dec 30, 2011
Showing with 33 additions and 3 deletions.
  1. +10 −0 lib/form/password.php
  2. +9 −0 lib/form/passwordunmask.php
  3. +10 −0 lib/formslib.php
  4. +3 −2 lib/javascript-static.js
  5. +1 −1 login/signup.php
View
@@ -15,6 +15,16 @@ class MoodleQuickForm_password extends HTML_QuickForm_password{
*/
var $_helpbutton='';
function MoodleQuickForm_password($elementName=null, $elementLabel=null, $attributes=null) {
+ global $CFG;
+ if (empty($CFG->xmlstrictheaders)) {
+ // no standard mform in moodle should allow autocomplete of passwords
+ // this is valid attribute in html5, sorry, we have to ignore validation errors in legacy xhtml 1.0
+ $attributes = (array)$attributes;
+ if (!isset($attributes['autocomplete'])) {
+ $attributes['autocomplete'] = 'off';
+ }
+ }
+
parent::HTML_QuickForm_password($elementName, $elementLabel, $attributes);
}
/**
@@ -15,6 +15,15 @@
class MoodleQuickForm_passwordunmask extends MoodleQuickForm_password {
function MoodleQuickForm_passwordunmask($elementName=null, $elementLabel=null, $attributes=null) {
+ global $CFG;
+ if (empty($CFG->xmlstrictheaders)) {
+ // no standard mform in moodle should allow autocomplete of passwords
+ // this is valid attribute in html5, sorry, we have to ignore validation errors in legacy xhtml 1.0
+ $attributes = (array)$attributes;
+ if (!isset($attributes['autocomplete'])) {
+ $attributes['autocomplete'] = 'off';
+ }
+ }
parent::MoodleQuickForm_password($elementName, $elementLabel, $attributes);
}
View
@@ -139,6 +139,16 @@ function form_init_date_js() {
* @return object moodleform
*/
function moodleform($action=null, $customdata=null, $method='post', $target='', $attributes=null, $editable=true) {
+ global $CFG;
+ if (empty($CFG->xmlstrictheaders)) {
+ // no standard mform in moodle should allow autocomplete with the exception of user signup
+ // this is valid attribute in html5, sorry, we have to ignore validation errors in legacy xhtml 1.0
+ $attributes = (array)$attributes;
+ if (!isset($attributes['autocomplete'])) {
+ $attributes['autocomplete'] = 'off';
+ }
+ }
+
if (empty($action)){
$action = strip_querystring(qualified_me());
}
View
@@ -876,13 +876,14 @@ function unmaskPassword(id) {
try {
// first try IE way - it can not set name attribute later
if (chb.checked) {
- var newpw = document.createElement('<input type="text" name="'+pw.name+'">');
+ var newpw = document.createElement('<input type="text" autocomplete="off" name="'+pw.name+'">');
} else {
- var newpw = document.createElement('<input type="password" name="'+pw.name+'">');
+ var newpw = document.createElement('<input type="password" autocomplete="off" name="'+pw.name+'">');
}
newpw.attributes['class'].nodeValue = pw.attributes['class'].nodeValue;
} catch (e) {
var newpw = document.createElement('input');
+ newpw.setAttribute('autocomplete', 'off');
newpw.setAttribute('name', pw.name);
if (chb.checked) {
newpw.setAttribute('type', 'text');
View
@@ -43,7 +43,7 @@
$PAGE->set_url('/login/signup.php');
$PAGE->set_context(get_context_instance(CONTEXT_SYSTEM));
-$mform_signup = new login_signup_form();
+$mform_signup = new login_signup_form(null, null, 'post', '', array('autocomplete'=>'on'));
if ($mform_signup->is_cancelled()) {
redirect(get_login_url());

0 comments on commit a4478cd

Please sign in to comment.