Make WordPress Core

Changeset 55094


Ignore:
Timestamp:
01/19/2023 08:51:41 AM (18 months ago)
Author:
audrasjb
Message:

Login and Registration: Disable spellcheck for password fields.

This changeset adds spellcheck="false" attribute to various password fields.

The spellcheck global attribute defines whether the element may be checked for spelling errors. The false value indicates that the element should not be checked for spelling errors, which is relevant for a password field.

Furthermore, and as per MDN specs, using spellchecking can have consequences for users' security and privacy. The specification does not regulate how spellchecking is done and the content of the element may be sent to a third party for spellchecking results. Thus, it is recommended to set spellcheck attribute to false for elements that can contain sensitive information. Which is the case for password fields.

Props dziudek, audrasjb, gainesm, fosuahmed.
Fixes #56763.

Location:
trunk/src
Files:
7 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/file.php

    r54881 r55094  
    23912391    <label for="password">
    23922392        <span class="field-title"><?php echo $label_pass; ?></span>
    2393         <input name="password" type="password" id="password" value="<?php echo $password_value; ?>"<?php disabled( defined( 'FTP_PASS' ) ); ?> />
     2393        <input name="password" type="password" id="password" value="<?php echo $password_value; ?>"<?php disabled( defined( 'FTP_PASS' ) ); ?> spellcheck="false" />
    23942394        <?php
    23952395        if ( ! defined( 'FTP_PASS' ) ) {
  • trunk/src/wp-admin/install.php

    r54326 r55094  
    141141                <div class="wp-pwd">
    142142                    <?php $initial_password = isset( $_POST['admin_password'] ) ? stripslashes( $_POST['admin_password'] ) : wp_generate_password( 18 ); ?>
    143                     <input type="password" name="admin_password" id="pass1" class="regular-text" autocomplete="new-password" data-reveal="1" data-pw="<?php echo esc_attr( $initial_password ); ?>" aria-describedby="pass-strength-result" />
     143                    <input type="password" name="admin_password" id="pass1" class="regular-text" spellcheck="false" autocomplete="new-password" data-reveal="1" data-pw="<?php echo esc_attr( $initial_password ); ?>" aria-describedby="pass-strength-result" />
    144144                    <button type="button" class="button wp-hide-pw hide-if-no-js" data-start-masked="<?php echo (int) isset( $_POST['admin_password'] ); ?>" data-toggle="0" aria-label="<?php esc_attr_e( 'Hide password' ); ?>">
    145145                        <span class="dashicons dashicons-hidden"></span>
     
    161161            </th>
    162162            <td>
    163                 <input name="admin_password2" type="password" id="pass2" autocomplete="new-password" />
     163                <input name="admin_password2" type="password" id="pass2" autocomplete="new-password" spellcheck="false" />
    164164            </td>
    165165        </tr>
  • trunk/src/wp-admin/user-edit.php

    r55042 r55094  
    639639                                    <div class="wp-pwd hide-if-js">
    640640                                        <span class="password-input-wrapper">
    641                                             <input type="password" name="pass1" id="pass1" class="regular-text" value="" autocomplete="new-password" data-pw="<?php echo esc_attr( wp_generate_password( 24 ) ); ?>" aria-describedby="pass-strength-result" />
     641                                            <input type="password" name="pass1" id="pass1" class="regular-text" value="" autocomplete="new-password" spellcheck="false" data-pw="<?php echo esc_attr( wp_generate_password( 24 ) ); ?>" aria-describedby="pass-strength-result" />
    642642                                        </span>
    643643                                        <button type="button" class="button wp-hide-pw hide-if-no-js" data-toggle="0" aria-label="<?php esc_attr_e( 'Hide password' ); ?>">
     
    656656                                <th scope="row"><label for="pass2"><?php _e( 'Repeat New Password' ); ?></label></th>
    657657                                <td>
    658                                 <input name="pass2" type="password" id="pass2" class="regular-text" value="" autocomplete="new-password" aria-describedby="pass2-desc" />
     658                                <input name="pass2" type="password" id="pass2" class="regular-text" value="" autocomplete="new-password" spellcheck="false" aria-describedby="pass2-desc" />
    659659                                    <?php if ( IS_PROFILE_PAGE ) : ?>
    660660                                        <p class="description" id="pass2-desc"><?php _e( 'Type your new password again.' ); ?></p>
  • trunk/src/wp-admin/user-new.php

    r54857 r55094  
    572572                <?php $initial_password = wp_generate_password( 24 ); ?>
    573573                <span class="password-input-wrapper">
    574                     <input type="password" name="pass1" id="pass1" class="regular-text" autocomplete="new-password" data-reveal="1" data-pw="<?php echo esc_attr( $initial_password ); ?>" aria-describedby="pass-strength-result" />
     574                    <input type="password" name="pass1" id="pass1" class="regular-text" autocomplete="new-password" spellcheck="false" data-reveal="1" data-pw="<?php echo esc_attr( $initial_password ); ?>" aria-describedby="pass-strength-result" />
    575575                </span>
    576576                <button type="button" class="button wp-hide-pw hide-if-no-js" data-toggle="0" aria-label="<?php esc_attr_e( 'Hide password' ); ?>">
     
    585585        <th scope="row"><label for="pass2"><?php _e( 'Repeat Password' ); ?> <span class="description"><?php _e( '(required)' ); ?></span></label></th>
    586586        <td>
    587         <input name="pass2" type="password" id="pass2" autocomplete="new-password" aria-describedby="pass2-desc" />
     587        <input name="pass2" type="password" id="pass2" autocomplete="new-password" spellcheck="false" aria-describedby="pass2-desc" />
    588588        <p class="description" id="pass2-desc"><?php _e( 'Type the password again.' ); ?></p>
    589589        </td>
  • trunk/src/wp-includes/general-template.php

    r55051 r55094  
    596596            '<p class="login-password">
    597597                <label for="%1$s">%2$s</label>
    598                 <input type="password" name="pwd" id="%1$s" autocomplete="current-password" class="input" value="" size="20" />
     598                <input type="password" name="pwd" id="%1$s" autocomplete="current-password" spellcheck="false" class="input" value="" size="20" />
    599599            </p>',
    600600            esc_attr( $args['id_password'] ),
  • trunk/src/wp-includes/post-template.php

    r54957 r55094  
    17531753    $output = '<form action="' . esc_url( site_url( 'wp-login.php?action=postpass', 'login_post' ) ) . '" class="post-password-form" method="post">
    17541754    <p>' . __( 'This content is password protected. To view it please enter your password below:' ) . '</p>
    1755     <p><label for="' . $label . '">' . __( 'Password:' ) . ' <input name="post_password" id="' . $label . '" type="password" size="20" /></label> <input type="submit" name="Submit" value="' . esc_attr_x( 'Enter', 'post password form' ) . '" /></p></form>
     1755    <p><label for="' . $label . '">' . __( 'Password:' ) . ' <input name="post_password" id="' . $label . '" type="password" spellcheck="false" size="20" /></label> <input type="submit" name="Submit" value="' . esc_attr_x( 'Enter', 'post password form' ) . '" /></p></form>
    17561756    ';
    17571757
  • trunk/src/wp-login.php

    r54866 r55094  
    959959
    960960                <div class="wp-pwd">
    961                     <input type="password" data-reveal="1" data-pw="<?php echo esc_attr( wp_generate_password( 16 ) ); ?>" name="pass1" id="pass1" class="input password-input" size="24" value="" autocomplete="new-password" aria-describedby="pass-strength-result" />
     961                    <input type="password" data-reveal="1" data-pw="<?php echo esc_attr( wp_generate_password( 16 ) ); ?>" name="pass1" id="pass1" class="input password-input" size="24" value="" autocomplete="new-password" spellcheck="false" aria-describedby="pass-strength-result" />
    962962
    963963                    <button type="button" class="button button-secondary wp-hide-pw hide-if-no-js" data-toggle="0" aria-label="<?php esc_attr_e( 'Hide password' ); ?>">
     
    974974            <p class="user-pass2-wrap">
    975975                <label for="pass2"><?php _e( 'Confirm new password' ); ?></label>
    976                 <input type="password" name="pass2" id="pass2" class="input" size="20" value="" autocomplete="new-password" />
     976                <input type="password" name="pass2" id="pass2" class="input" size="20" value="" autocomplete="new-password" spellcheck="false" />
    977977            </p>
    978978
     
    14241424                <label for="user_pass"><?php _e( 'Password' ); ?></label>
    14251425                <div class="wp-pwd">
    1426                     <input type="password" name="pwd" id="user_pass"<?php echo $aria_describedby; ?> class="input password-input" value="" size="20" autocomplete="current-password" />
     1426                    <input type="password" name="pwd" id="user_pass"<?php echo $aria_describedby; ?> class="input password-input" value="" size="20" autocomplete="current-password" spellcheck="false" />
    14271427                    <button type="button" class="button button-secondary wp-hide-pw hide-if-no-js" data-toggle="0" aria-label="<?php esc_attr_e( 'Show password' ); ?>">
    14281428                        <span class="dashicons dashicons-visibility" aria-hidden="true"></span>
Note: See TracChangeset for help on using the changeset viewer.