Fixes xss, clickjacking & password autocompletion

2025-07-22 18:28:37 +00:00 · 2016-11-29 22:49:06 +01:00
parent ccad2cce32
commit 1e9730a779
5 changed files with 13 additions and 10 deletions
--- a/templates/user/auth/reset_passwd.tmpl
+++ b/templates/user/auth/reset_passwd.tmpl
@@ -13,7 +13,7 @@
 					{{if .IsResetForm}}
 						<div class="required inline field {{if .Err_Password}}error{{end}}">
 							<label for="password">{{.i18n.Tr "password"}}</label>
-							<input id="password" name="password" type="password"  value="{{.password}}" autofocus required>
+							<input id="password" name="password" type="password"  value="{{.password}}" autocomplete="off" autofocus required>
 						</div>
 						<div class="ui divider"></div>
 						<div class="inline field">
--- a/templates/user/auth/signin.tmpl
+++ b/templates/user/auth/signin.tmpl
@@ -15,7 +15,7 @@
 					</div>
 					<div class="required inline field {{if .Err_Password}}error{{end}}">
 						<label for="password">{{.i18n.Tr "password"}}</label>
-						<input id="password" name="password" type="password" value="{{.password}}" required>
+						<input id="password" name="password" type="password" value="{{.password}}" autocomplete="off" required>
 					</div>
 					<div class="inline field">
 						<label></label>
--- a/templates/user/auth/signup.tmpl
+++ b/templates/user/auth/signup.tmpl
@@ -22,11 +22,11 @@
 						</div>
 						<div class="required inline field {{if .Err_Password}}error{{end}}">
 							<label for="password">{{.i18n.Tr "password"}}</label>
-							<input id="password" name="password" type="password" value="{{.password}}" required>
+							<input id="password" name="password" type="password" value="{{.password}}" autocomplete="off" required>
 						</div>
 						<div class="required inline field {{if .Err_Password}}error{{end}}">
 							<label for="retype">{{.i18n.Tr "re_type"}}</label>
-							<input id="retype" name="retype" type="password" value="{{.retype}}" required>
+							<input id="retype" name="retype" type="password" value="{{.retype}}" autocomplete="off" required>
 						</div>
 						{{if .EnableCaptcha}}
 							<div class="inline field">
--- a/templates/user/settings/password.tmpl
+++ b/templates/user/settings/password.tmpl
@@ -14,15 +14,15 @@
 						{{.CsrfTokenHtml}}
 						<div class="required field {{if .Err_OldPassword}}error{{end}}">
 							<label for="old_password">{{.i18n.Tr "settings.old_password"}}</label>
-							<input id="old_password" name="old_password" type="password" autofocus required>
+							<input id="old_password" name="old_password" type="password" autocomplete="off" autofocus required>
 						</div>
 						<div class="required field {{if .Err_Password}}error{{end}}">
 							<label for="password">{{.i18n.Tr "settings.new_password"}}</label>
-							<input id="password" name="password" type="password" required>
+							<input id="password" name="password" type="password" autocomplete="off" required>
 						</div>
 						<div class="required field {{if .Err_Password}}error{{end}}">
 							<label for="retype">{{.i18n.Tr "settings.retype_new_password"}}</label>
-							<input id="retype" name="retype" type="password" required>
+							<input id="retype" name="retype" type="password" autocomplete="off" required>
 						</div>

 						<div class="field">
@@ -33,7 +33,7 @@
 					<div class="ui info message">
 						<p class="text left">{{$.i18n.Tr "settings.password_change_disabled"}}</p>
 					</div>
-					{{end}} 
+					{{end}}
 				</div>
 			</div>
 		</div>