[wp-trac] [WordPress Trac] #33699: Hidden password input fields should default to disabled="disabled"

WordPress Trac noreply at wordpress.org
Thu Sep 3 01:45:22 UTC 2015


#33699: Hidden password input fields should default to disabled="disabled"
--------------------------------------------+-----------------------------
 Reporter:  raamdev                         |      Owner:
     Type:  defect (bug)                    |     Status:  new
 Priority:  normal                          |  Milestone:  Awaiting Review
Component:  Users                           |    Version:  4.3
 Severity:  normal                          |   Keywords:
  Focuses:  ui, javascript, administration  |
--------------------------------------------+-----------------------------
 There have been [https://wordpress.org/support/topic/notice-of-password-
 change-email-every-time-user-profile-updated several]
 [https://github.com/websharks/s2member/issues/705 reports] of WordPress
 v4.3 sending the "notice of password change" email every time a user's
 profile is updated. I'm aware of a [https://wordpress.org/support/topic
 /read-this-first-%E2%80%93-wordpress-43-master-list?replies=4#post-7314894
 similar issue] where some plugins are improperly calling
 `wp_update_user()` with a `user_pass` field, but what I'm describing in
 this ticket is separate and unrelated.

 Some browsers (reproduced sporadically with Firefox and Chrome) with the
 "Save Passwords" or "Auto Fill" options enabled are submitting the hidden
 `pass1` input field on the Edit User page, with a password auto-filled
 from the browser, resulting in the updated user's password being reset
 whenever the "Update User" button is clicked, even if nothing on the users
 profile was changed.

 Since WordPress v4.3 now hides the password reset input box behind the
 "Generate Password" button, the hidden password input field should default
 to having the [http://www.w3.org/TR/html5/disabled-elements.html HTML
 attribute disabled="disabled"] so that even if it is automatically filled
 by the browser behind-the-scenes, it is never POSTd; i.e., if the field is
 not in view, disable it entirely, to avoid the potential for this to
 occur.

 The JavaScript used to show the password input field whenever you click
 "Generate Password" in WP v4.3+, could then remove the
 `disabled="disabled"` attribute when it is in view, so that you can
 interact with it and so that the browser will POST when it is in view.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/33699>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list