Skip to content

Commit

Permalink
MDL-45772 admin: Stop browsers from autofilling passwords incorrectly
Browse files Browse the repository at this point in the history
  • Loading branch information
John Okely committed Aug 4, 2015
1 parent 032a4fe commit 3800019
Show file tree
Hide file tree
Showing 5 changed files with 22 additions and 0 deletions.
2 changes: 2 additions & 0 deletions admin/search.php
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,8 @@
echo '<form action="' . $PAGE->url->out(true) . '" method="post" id="adminsettings">';
echo '<div>';
echo '<input type="hidden" name="sesskey" value="'.sesskey().'" />';
// HACK to prevent browsers from automatically inserting the user's password into the wrong fields.
echo prevent_form_autofill_password();
echo '</div>';
echo '<fieldset>';
echo '<div class="clearer"><!-- --></div>';
Expand Down
4 changes: 4 additions & 0 deletions admin/settings.php
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,8 @@
echo html_writer::input_hidden_params($PAGE->url);
echo '<input type="hidden" name="sesskey" value="'.sesskey().'" />';
echo '<input type="hidden" name="return" value="'.$return.'" />';
// HACK to prevent browsers from automatically inserting the user's password into the wrong fields.
echo prevent_form_autofill_password();

echo $settingspage->output_html();

Expand Down Expand Up @@ -119,6 +121,8 @@
echo html_writer::input_hidden_params($PAGE->url);
echo '<input type="hidden" name="sesskey" value="'.sesskey().'" />';
echo '<input type="hidden" name="return" value="'.$return.'" />';
// HACK to prevent browsers from automatically inserting the user's password into the wrong fields.
echo prevent_form_autofill_password();
echo $OUTPUT->heading($settingspage->visiblename);

echo $settingspage->output_html();
Expand Down
2 changes: 2 additions & 0 deletions admin/upgradesettings.php
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,8 @@
echo '<div>';
echo '<input type="hidden" name="sesskey" value="'.sesskey().'" />';
echo '<input type="hidden" name="return" value="'.$return.'" />';
// HACK to prevent browsers from automatically inserting the user's password into the wrong fields.
echo prevent_form_autofill_password();
echo '<fieldset>';
echo '<div class="clearer"><!-- --></div>';
echo $newsettingshtml;
Expand Down
4 changes: 4 additions & 0 deletions lib/formslib.php
Original file line number Diff line number Diff line change
Expand Up @@ -188,6 +188,10 @@ function moodleform($action=null, $customdata=null, $method='post', $target='',
$this->_form->hardFreeze();
}

// HACK to prevent browsers from automatically inserting the user's password into the wrong fields.
$element = $this->_form->addElement('hidden');
$element->setType('password');

$this->definition();

$this->_form->addElement('hidden', 'sesskey', null); // automatic sesskey protection
Expand Down
10 changes: 10 additions & 0 deletions lib/weblib.php
Original file line number Diff line number Diff line change
Expand Up @@ -3561,3 +3561,13 @@ function get_formatted_help_string($identifier, $component, $ajax = false, $a =
}
return $data;
}

/**
* Renders a hidden password field so that browsers won't incorrectly autofill password fields with the user's password.
*
* @since 3.0
* @return string HTML to prevent password autofill
*/
function prevent_form_autofill_password() {
return '<div class="hide"><input type="password" /></div>';
}

0 comments on commit 3800019

Please sign in to comment.