IntenseWebs/WordPress
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Login and Registration: Disable spellcheck for password fields.

Browse Source 
This changeset adds `spellcheck="false"` attribute to various password fields.

The spellcheck global attribute defines whether the element may be checked for spelling errors. The `false` value indicates that the element should not be checked for spelling errors, which is relevant for a password field.

Furthermore, and as per MDN specs, using spellchecking can have consequences for users' security and privacy. The specification does not regulate how spellchecking is done and the content of the element may be sent to a third party for spellchecking results. Thus, it is recommended to set `spellcheck` attribute to `false` for elements that can contain sensitive information. Which is the case for password fields.

Props dziudek, audrasjb, gainesm, fosuahmed.
Fixes #56763.

Built from https://develop.svn.wordpress.org/trunk@55094


git-svn-id: http://core.svn.wordpress.org/trunk@54627 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
audrasjb
2023-01-19 08:53:13 +00:00
parent 1a21c14d85
commit 0f28fc7aed
8 changed files with 13 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
wp-admin/includes/file.php
View File

@@ -2390,7 +2390,7 @@ function request_filesystem_credentials( $form_post, $type = '', $error = false,
<div class="ftp-password">
<label for="password">
<span class="field-title"><?php echo $label_pass; ?></span>
<input name="password" type="password" id="password" value="<?php echo $password_value; ?>"<?php disabled( defined( 'FTP_PASS' ) ); ?> />
<input name="password" type="password" id="password" value="<?php echo $password_value; ?>"<?php disabled( defined( 'FTP_PASS' ) ); ?> spellcheck="false" />
<?php
if ( ! defined( 'FTP_PASS' ) ) {
_e( 'This password will not be stored on the server.' );

4
wp-admin/install.php
View File

@@ -140,7 +140,7 @@ function display_setup_form( $error = null ) {
<td>
<div class="wp-pwd">
<?php $initial_password = isset( $_POST['admin_password'] ) ? stripslashes( $_POST['admin_password'] ) : wp_generate_password( 18 ); ?>
<input type="password" name="admin_password" id="pass1" class="regular-text" autocomplete="new-password" data-reveal="1" data-pw="<?php echo esc_attr( $initial_password ); ?>" aria-describedby="pass-strength-result" />
<input type="password" name="admin_password" id="pass1" class="regular-text" spellcheck="false" autocomplete="new-password" data-reveal="1" data-pw="<?php echo esc_attr( $initial_password ); ?>" aria-describedby="pass-strength-result" />
<button type="button" class="button wp-hide-pw hide-if-no-js" data-start-masked="<?php echo (int) isset( $_POST['admin_password'] ); ?>" data-toggle="0" aria-label="<?php esc_attr_e( 'Hide password' ); ?>">
<span class="dashicons dashicons-hidden"></span>
<span class="text"><?php _e( 'Hide' ); ?></span>
@@ -160,7 +160,7 @@ function display_setup_form( $error = null ) {
</label>
</th>
<td>
<input name="admin_password2" type="password" id="pass2" autocomplete="new-password" />
<input name="admin_password2" type="password" id="pass2" autocomplete="new-password" spellcheck="false" />
</td>
</tr>
<tr class="pw-weak">

4
wp-admin/user-edit.php
View File

@@ -638,7 +638,7 @@ switch ( $action ) {
<button type="button" class="button wp-generate-pw hide-if-no-js" aria-expanded="false"><?php _e( 'Set New Password' ); ?></button>
<div class="wp-pwd hide-if-js">
<span class="password-input-wrapper">
<input type="password" name="pass1" id="pass1" class="regular-text" value="" autocomplete="new-password" data-pw="<?php echo esc_attr( wp_generate_password( 24 ) ); ?>" aria-describedby="pass-strength-result" />
<input type="password" name="pass1" id="pass1" class="regular-text" value="" autocomplete="new-password" spellcheck="false" data-pw="<?php echo esc_attr( wp_generate_password( 24 ) ); ?>" aria-describedby="pass-strength-result" />
</span>
<button type="button" class="button wp-hide-pw hide-if-no-js" data-toggle="0" aria-label="<?php esc_attr_e( 'Hide password' ); ?>">
<span class="dashicons dashicons-hidden" aria-hidden="true"></span>
@@ -655,7 +655,7 @@ switch ( $action ) {
<tr class="user-pass2-wrap hide-if-js">
<th scope="row"><label for="pass2"><?php _e( 'Repeat New Password' ); ?></label></th>
<td>
<input name="pass2" type="password" id="pass2" class="regular-text" value="" autocomplete="new-password" aria-describedby="pass2-desc" />
<input name="pass2" type="password" id="pass2" class="regular-text" value="" autocomplete="new-password" spellcheck="false" aria-describedby="pass2-desc" />
<?php if ( IS_PROFILE_PAGE ) : ?>
<p class="description" id="pass2-desc"><?php _e( 'Type your new password again.' ); ?></p>
<?php else : ?>

4
wp-admin/user-new.php
View File

@@ -571,7 +571,7 @@ if ( current_user_can( 'create_users' ) ) {
<div class="wp-pwd">
<?php $initial_password = wp_generate_password( 24 ); ?>
<span class="password-input-wrapper">
<input type="password" name="pass1" id="pass1" class="regular-text" autocomplete="new-password" data-reveal="1" data-pw="<?php echo esc_attr( $initial_password ); ?>" aria-describedby="pass-strength-result" />
<input type="password" name="pass1" id="pass1" class="regular-text" autocomplete="new-password" spellcheck="false" data-reveal="1" data-pw="<?php echo esc_attr( $initial_password ); ?>" aria-describedby="pass-strength-result" />
</span>
<button type="button" class="button wp-hide-pw hide-if-no-js" data-toggle="0" aria-label="<?php esc_attr_e( 'Hide password' ); ?>">
<span class="dashicons dashicons-hidden" aria-hidden="true"></span>
@@ -584,7 +584,7 @@ if ( current_user_can( 'create_users' ) ) {
<tr class="form-field form-required user-pass2-wrap hide-if-js">
<th scope="row"><label for="pass2"><?php _e( 'Repeat Password' ); ?> <span class="description"><?php _e( '(required)' ); ?></span></label></th>
<td>
<input name="pass2" type="password" id="pass2" autocomplete="new-password" aria-describedby="pass2-desc" />
<input name="pass2" type="password" id="pass2" autocomplete="new-password" spellcheck="false" aria-describedby="pass2-desc" />
<p class="description" id="pass2-desc"><?php _e( 'Type the password again.' ); ?></p>
</td>
</tr>