[wp-trac] [WordPress Trac] #33699: Hidden password input fields should default to disabled="disabled"
WordPress Trac
noreply at wordpress.org
Thu Oct 1 19:46:57 UTC 2015
#33699: Hidden password input fields should default to disabled="disabled"
-----------------------------+---------------------------------------------
Reporter: raamdev | Owner: adamsilverstein
Type: defect (bug) | Status: assigned
Priority: normal | Milestone: 4.4
Component: Users | Version: 4.3
Severity: normal | Resolution:
Keywords: has-patch dev- | Focuses: ui, javascript, administration
feedback |
-----------------------------+---------------------------------------------
Comment (by raamdev):
> I'm not sure disabling the fields will change anything - currently all
fields have the parameter autocomplete="off". This is the setting that is
supposed to tell LastPass and other password managers "don't autofill this
field".
@adamsilverstein Disabling the fields (via the `disabled="disabled"`
attribute) ensures that the browser does not send the field in the POST at
all, even if that field somehow contains a value.
I haven't been able to reproduce the issue that I described with any
regularity, but what's happening, as @JasWSInc mentioned, is that the
browser is sometimes sending the `pass1` and/or `pass2` field with the
POST, even when the field is hidden, and when the browser (or perhaps an
extension) does not obey the `autocomplete="off"` setting and fills in the
hidden field with a value this results in a WordPress Password Reset
inadvertently occurring when updating the users profile.
Since there's no reason to send the field with the POST when the field is
not visible, setting `disabled="disabled"` is what we want.
I reviewed your patch and it looks good to me. :-) Thank you!
--
Ticket URL: <https://core.trac.wordpress.org/ticket/33699#comment:8>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list