Make WordPress Core


Ignore:
Timestamp:
01/19/2023 08:51:41 AM (21 months ago)
Author:
audrasjb
Message:

Login and Registration: Disable spellcheck for password fields.

This changeset adds spellcheck="false" attribute to various password fields.

The spellcheck global attribute defines whether the element may be checked for spelling errors. The false value indicates that the element should not be checked for spelling errors, which is relevant for a password field.

Furthermore, and as per MDN specs, using spellchecking can have consequences for users' security and privacy. The specification does not regulate how spellchecking is done and the content of the element may be sent to a third party for spellchecking results. Thus, it is recommended to set spellcheck attribute to false for elements that can contain sensitive information. Which is the case for password fields.

Props dziudek, audrasjb, gainesm, fosuahmed.
Fixes #56763.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/post-template.php

    r54957 r55094  
    17531753    $output = '<form action="' . esc_url( site_url( 'wp-login.php?action=postpass', 'login_post' ) ) . '" class="post-password-form" method="post">
    17541754    <p>' . __( 'This content is password protected. To view it please enter your password below:' ) . '</p>
    1755     <p><label for="' . $label . '">' . __( 'Password:' ) . ' <input name="post_password" id="' . $label . '" type="password" size="20" /></label> <input type="submit" name="Submit" value="' . esc_attr_x( 'Enter', 'post password form' ) . '" /></p></form>
     1755    <p><label for="' . $label . '">' . __( 'Password:' ) . ' <input name="post_password" id="' . $label . '" type="password" spellcheck="false" size="20" /></label> <input type="submit" name="Submit" value="' . esc_attr_x( 'Enter', 'post password form' ) . '" /></p></form>
    17561756    ';
    17571757
Note: See TracChangeset for help on using the changeset viewer.