how to disable autocomplete on password fields?

[nathanscrivener]

Hi, my security scanner has identified a recommendation to disable autocomplete on password fields. After consideration, I think this is a good idea, but am unsure how to do so...

I can see from tpl_modules_create_account.php that there is a function zen_draw_password_field, but am not clued on enough to solve this myself!

Any help would be much appreciated

[kuroi]

If you find these lines in your includes/functions/html_output.php file

PHP Code:

// Output a form password field
  function zen_draw_password_field($name, $value = '', $required = false) {
    $field = zen_draw_input_field($name, $value, 'maxlength="40"', $required, 'password', false); 


and replace them with

PHP Code:

// Output a form password field
  function zen_draw_password_field($name, $value = '', $required = false) {
    $field = zen_draw_input_field($name, $value, 'maxlength="40" autocomplete="off"', $required, 'password', false); 


it should do the trick.

[nathanscrivener]

Awesome, thanks for your help

[nathanscrivener]

Hi, on another look at this, I haven't managed to achieve what I set out to do. My code (1.3.8a) is slightly different to what you posted above, but I did my best to adapt what you were saying and ended up with this:

/*
* Output a form password field
*/
function zen_draw_password_field($name, $value = '', $parameters = 'maxlength="40" autocomplete="off"') {
return zen_draw_input_field($name, $value, $parameters, 'password', true);
}


But in the browser render of the page I see this:


<fieldset>

<legend>Create a Password (needed to track your packages)</legend>

<br class="clearBoth">

<label class="inputLabel" for="password-new">Password:</label>

<input type="password" name="password" size = "21" maxlength= "40" id="password-new" /><span class="alert">* (at least 5 characters)</span><br class="clearBoth" />



<label class="inputLabel" for="password-confirm">Confirm Password:</label>

<input type="password" name="confirmation" size = "21" maxlength= "40" id="password-confirm" /><span class="alert">*</span><br class="clearBoth" />

</fieldset>


The desired autocomplete=off has not worked.

Any more ideas??? Thanks for your help

[DrByte]

With respect, you really do need to be upgrading.

[nathanscrivener]

Thanks, we plan on doing so, but due to the number of contributions installed it is not going to be easy.

In the meantime I would appreciate if somebody would be kind enough to advise on this issue?

[Website Rob]

Allow me to clear up some confusion here.

There is only 1 'html_output.php' file which is found in 'includes/functions' and it appears there has not been any changes to the 'password field' coding between versions.

v1.3.8a
includes/functions/html_output.php file #385

/*
* Output a form password field
*/
function zen_draw_password_field($name, $value = '', $parameters = 'maxlength="40"') {
return zen_draw_input_field($name, $value, $parameters, 'password', true);
}

v1.3.9h
includes/functions/html_output.php file #384

/*
* Output a form password field
*/
function zen_draw_password_field($name, $value = '', $parameters = 'maxlength="40"') {
return zen_draw_input_field($name, $value, $parameters, 'password', true);
}



It is true the second line needs to be altered and it is done like so.

/*
* Output a form password field
*/
function zen_draw_password_field($name, $value = '', $parameters = 'maxlength="40"') {
return zen_draw_input_field($name, $value, $parameters, 'password autocomplete="off"', true);
}

[Website Rob]

Ok, so the above change does prevent autocomplete but causes two other problems;

- password is no longer hidden
- HTML code is now invalid

So although it works, it would probably not be advisable to use.

At this time HTML 4 and XHTML 1 do not support the 'autocomplete' attribute. It is in HTML 5 but that is not currently used with Zen Cart.


Also of note, changing the $parameters = '' value does not appear to effect any changes at all? What's up with that?

[DrByte]

Apparently kuroi quoted from the admin version of html_output.php, instead of the storefront version. Hence the confusion. Nevertheless, the concept was the same.

However, Website Rob is correct in that the password is no longer hidden.
Instead, because password fields are handled differently, you'll need to edit your tpl_login_default.php template file (for your custom template) and add autocomplete="off" into the zen_draw_form() calls, similar to this:

Code:

<?php echo zen_draw_form('login', zen_href_link(FILENAME_LOGIN, 'action=process', 'SSL'), 'post', 'id="loginForm" autocomplete="off"'); ?>

You'll probably want to do it for all the zen_draw_form calls in that template file, lest your scanner make their "suggestion" again.

The caveat to this is that the *entire* form contents will no longer be remembered, not just the password field. That's probably just as well though.

Remember to undo the changes you made to html_output.php, since they're irrelevant if you change the way the forms are drawn.

Remember to share the love: http://www.zen-cart.com/index.php?ma...es&pages_id=14