Merge pull request concretecms#9534 from bitterdev/feature/improve-pa…

…ssword-fields-security Feature/improve password fields security
martbase · Jun 28, 2021 · 5de235c · 5de235c
2 parents 14f2785 + 9405be4
commit 5de235c
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 5 deletions.
diff --git a/concrete/authentication/concrete/form.php b/concrete/authentication/concrete/form.php
@@ -19,7 +19,7 @@
             <?=t('Password'); ?>
         </label>
         <div class="col-sm-9">
-            <input name="uPassword" id="uPassword" class="form-control" type="password" />
+            <input name="uPassword" id="uPassword" class="form-control" type="password" autocomplete="off" />
         </div>
     </div>
     <div class="form-group row">

diff --git a/concrete/single_pages/dashboard/system/api/integrations/view_client.php b/concrete/single_pages/dashboard/system/api/integrations/view_client.php
@@ -49,7 +49,7 @@
 
     <div class="form-group <?= $clientSecret ? 'has-warning' : '' ?>">
         <label><?=t('Client Secret')?></label>
-        <input type="<?= $clientSecret ? 'text' : 'password' ?>" class="form-control" onclick="this.select()" value="<?= $clientSecret ?: str_repeat('*', 96) ?>" <?= $clientSecret ? '' : 'disabled' ?>>
+        <input type="<?= $clientSecret ? 'text' : 'password' ?>" autocomplete="off" class="form-control" onclick="this.select()" value="<?= $clientSecret ?: str_repeat('*', 96) ?>" <?= $clientSecret ? '' : 'disabled' ?>>
         <div class="help-block">
             <?php
             if ($clientSecret) {

diff --git a/concrete/src/Form/Service/Form.php b/concrete/src/Form/Service/Form.php
@@ -677,7 +677,7 @@ public function selectMultiple($key, $optionValues, $defaultValues = false, $mis
      */
     public function password($key, $valueOrMiscFields = '', $miscFields = [])
     {
-        return $this->inputType($key, 'password', $valueOrMiscFields, $miscFields);
+        return $this->inputType($key, 'password', $valueOrMiscFields, array_merge(["autocomplete" => "off"], $miscFields));
     }
 
     /**
@@ -691,7 +691,7 @@ public function getAutocompletionDisabler()
         $result = <<<EOT
 <div id="{$id}" style="position: absolute; top: -1000px; opacity: 0">
     <input type="text" id="{$id}_username" tabindex="-1" />
-    <input type="password" id="{$id}_password" tabindex="-1" />
+    <input type="password" id="{$id}_password" autocomplete="off" tabindex="-1" />
     <script>
     (function() {
         function removeFake() {

diff --git a/concrete/views/oauth/authorize.php b/concrete/views/oauth/authorize.php
@@ -63,7 +63,7 @@
 
                         <div class="form-group">
                             <label class="control-label" for="uPassword"><?= t('Password') ?></label>
-                            <input name="uPassword" id="uPassword" class="form-control" type="password"/>
+                            <input name="uPassword" id="uPassword" class="form-control" type="password" autocomplete="off"/>
                         </div>
 
                         <?php if (isset($locales) && is_array($locales) && count($locales) > 0) {