WordPress.org
Get WordPress

Make WordPress Core


Ignore:
Timestamp:
01/19/2023 08:51:41 AM (3 years ago)
Author:
audrasjb
Message:

Login and Registration: Disable spellcheck for password fields.

This changeset adds spellcheck="false" attribute to various password fields.

The spellcheck global attribute defines whether the element may be checked for spelling errors. The false value indicates that the element should not be checked for spelling errors, which is relevant for a password field.

Furthermore, and as per MDN specs, using spellchecking can have consequences for users' security and privacy. The specification does not regulate how spellchecking is done and the content of the element may be sent to a third party for spellchecking results. Thus, it is recommended to set spellcheck attribute to false for elements that can contain sensitive information. Which is the case for password fields.

Props dziudek, audrasjb, gainesm, fosuahmed.
Fixes #56763.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/wp-admin/install.php

    r54326 r55094  
    141141                <div class="wp-pwd">
    142142                    <?php $initial_password = isset( $_POST['admin_password'] ) ? stripslashes( $_POST['admin_password'] ) : wp_generate_password( 18 ); ?>
    143                     <input type="password" name="admin_password" id="pass1" class="regular-text" autocomplete="new-password" data-reveal="1" data-pw="<?php echo esc_attr( $initial_password ); ?>" aria-describedby="pass-strength-result" />
     143                    <input type="password" name="admin_password" id="pass1" class="regular-text" spellcheck="false" autocomplete="new-password" data-reveal="1" data-pw="<?php echo esc_attr( $initial_password ); ?>" aria-describedby="pass-strength-result" />
    144144                    <button type="button" class="button wp-hide-pw hide-if-no-js" data-start-masked="<?php echo (int) isset( $_POST['admin_password'] ); ?>" data-toggle="0" aria-label="<?php esc_attr_e( 'Hide password' ); ?>">
    145145                        <span class="dashicons dashicons-hidden"></span>
     
    161161            </th>
    162162            <td>
    163                 <input name="admin_password2" type="password" id="pass2" autocomplete="new-password" />
     163                <input name="admin_password2" type="password" id="pass2" autocomplete="new-password" spellcheck="false" />
    164164            </td>
    165165        </tr>
Note: See TracChangeset for help on using the changeset viewer.