fix: disable spellchecking for password fields

Some browser can send password to a server for spellchecking. This
gives the browser a strong hint that they should not spellcheck a
password. Since a Password is not supposed to be a real word in any
language, spellchecking is worthless.

Author: rouilj

CHANGES.txt

@@ -261,6 +261,9 @@ Features:
   outstanding bugs against the current classhelper using
   current web features. (Patel Malav, Nikunj Thakkar,
   Bharath Kanama with integration by John Rouillard)
+- disable spellcheck on all password fields to try to prevent
+  browser from exposing passwords to external servers. (John
+  Rouillard)
 
 2023-07-13 2.3.0
 

doc/upgrading.txt

@@ -262,6 +262,41 @@ References:
 .. _issue2551282: https://issues.roundup-tracker.org/issue2551282
 .. _issue2551115: https://issues.roundup-tracker.org/issue2551115
 
+Disable spellcheck on all password fields (recommended)
+-------------------------------------------------------
+
+All tracker templates have been updated to disable spell checking on
+password input fields. This can help prevent exposing the password to
+an external server that provides spell checking for a browser. Since
+passwords should not be real words in any language, spell checking
+serves no purpose.
+
+If you have modified your template with a "show password" option you
+should disable spell check.
+
+To implement this in your deployed trackers, add::
+
+   spellcheck="false"
+
+to make your password inputs look like::
+
+   <input type="password" spellcheck="false" name=....>
+
+The changed files in the classic/devel/responsive templates are:
+
+.. code-block:: text
+
+   html/page.html
+   html/user.item.html
+
+and in the jinja2 template the following files were changed:
+
+.. code-block:: text
+
+   html/user.item.html
+   html/user.register.html
+   html/layout/navigation.html
+
 Add new classhelper to your templates (optional)
 ------------------------------------------------
 

share/roundup/templates/classic/html/page.html

@@ -132,7 +132,7 @@ <h2><span metal:define-slot="body_title">body title</span></h2>
    <p class="userblock">
     <b i18n:translate="">Login</b><br>
     <input size="10" required name="__login_name"><br>
-    <input size="10" type="password" required name="__login_password"><br>
+    <input size="10" spellcheck="false" type="password" required name="__login_password"><br>
     <input type="hidden" name="@action" value="Login">
     <input type="checkbox" name="remember" id="remember">
     <label for="remember" i18n:translate="">Remember me?</label><br>
@@ -376,8 +376,8 @@ <h2><span metal:define-slot="body_title">body title</span></h2>
     tal:attributes="id name; name name; value value; readonly not:edit_ok"
     value="heinz">
 <!-- password: type; no initial value -->
-    <input metal:define-macro="user_pw_input" type="password"
+    <input metal:define-macro="user_pw_input" spellcheck="false" type="password"
     tal:attributes="id name; name name; readonly not:edit_ok" value="">
-    <input metal:define-macro="user_confirm_input" type="password"
+    <input metal:define-macro="user_confirm_input" spellcheck="false" type="password"
     tal:attributes="id string:confirm_$name; name string:@confirm@$name; readonly not:edit_ok" value="">
 

share/roundup/templates/classic/html/user.item.html

@@ -68,11 +68,11 @@
  <tal:if condition="edit_ok">
  <tr tal:define="name string:password; label string:Login Password">
   <th metal:use-macro="th_label">Login Password</th>
-  <td><input metal:use-macro="pw_input" type="password"></td>
+  <td><input metal:use-macro="pw_input" spellcheck="false" type="password"></td>
  </tr>
  <tr tal:define="name string:password; label string:Confirm Password">
   <th metal:use-macro="th_label">Confirm Password</th>
-  <td><input metal:use-macro="confirm_input" type="password"></td>
+  <td><input metal:use-macro="confirm_input" spellcheck="false" type="password"></td>
  </tr>
  </tal:if>
  <tal:if condition="python:request.user.hasPermission('Web Roles')">

share/roundup/templates/devel/html/page.html

@@ -163,7 +163,7 @@ <h1><a href="/">Roundup Demo Tracker</a></h1>
         <li>
          <tal:span i18n:translate="">Login</tal:span><br/>
          <input size="10" required name="__login_name"/><br/>
-         <input size="10" type="password" required name="__login_password"/><br/>
+         <input size="10" spellcheck="false" type="password" required name="__login_password"/><br/>
 	 <input name="@csrf" type="hidden"
 		tal:attributes="value python:utils.anti_csrf_nonce()">
          <input type="hidden" name="@action" value="Login"/>
@@ -431,9 +431,9 @@ <h1 id="breadcrumb"><span metal:define-slot="body_title">body title</span></h1>
     tal:attributes="id name; name name; value value; readonly not:edit_ok"
     value="heinz"/>
 <!-- password: type; no initial value -->
-    <input metal:define-macro="user_pw_input" type="password"
+    <input metal:define-macro="user_pw_input" spellcheck="false" type="password"
     tal:attributes="id name; name name; readonly not:edit_ok" value=""/>
-    <input metal:define-macro="user_confirm_input" type="password"
+    <input metal:define-macro="user_confirm_input" spellcheck="false" type="password"
     tal:attributes="id string:confirm_$name; name string:@confirm@$name; readonly not:edit_ok" value=""/>
 
 <!-- SHA: ca32e5f43efcb7c3b4940df6f7a176f6990b15f0 -->

share/roundup/templates/devel/html/user.item.html

@@ -66,11 +66,11 @@
  <tal:if condition="edit_ok">
  <tr tal:define="name string:password; label string:Login Password">
   <th metal:use-macro="th_label">Login Password</th>
-  <td><input metal:use-macro="pw_input" type="password"></td>
+  <td><input metal:use-macro="pw_input" spellcheck="false" type="password"></td>
  </tr>
  <tr tal:define="name string:password; label string:Confirm Password">
   <th metal:use-macro="th_label">Confirm Password</th>
-  <td><input metal:use-macro="confirm_input" type="password"></td>
+  <td><input metal:use-macro="confirm_input" spellcheck="false" type="password"></td>
  </tr>
  </tal:if>
  <tal:if condition="python:request.user.hasPermission('Web Roles')">

share/roundup/templates/jinja2/html/layout/navigation.html

@@ -113,7 +113,7 @@
         <input class="form-control form-control-sm" type='text' required name="__login_name" placeholder='username'>
       </li>
       <li class="nav-item">
-        <input class="form-control form-control-sm" type="password" required name="__login_password" placeholder='password'>
+        <input class="form-control form-control-sm" spellcheck="false" type="password" required name="__login_password" placeholder='password'>
       </li>
       <li class="nav-item">
         <label class="form-control form-control-sm" class='checkbox'>

share/roundup/templates/jinja2/html/user.item.html

@@ -46,13 +46,13 @@
           <tr>
             <th>{% trans %}Login Password{% endtrans %}</th>
             <td>
-              <input class="form-control" type='password' name='password'>
+              <input class="form-control" spellcheck='false' type='password' name='password'>
             </td>
           </tr>
           <tr>
             <th>{% trans %}Confirm Password{% endtrans %}</th>
             <td>
-              <input class="form-control" type='password' name='@confirm@password'>
+              <input class="form-control" spellcheck='false' type='password' name='@confirm@password'>
             </td>
           </tr>
         {% endif %}

share/roundup/templates/jinja2/html/user.register.html

@@ -32,13 +32,13 @@
       <tr>
         <th>{% trans %}Login Password{% endtrans %}</th>
         <td>
-          <input type='password' name='password' required>
+          <input spellcheck='false' type='password' name='password' required>
         </td>
       </tr>
       <tr>
         <th>{% trans %}Confirm Password{% endtrans %}</th>
         <td>
-          <input type='password' name='@confirm@password'>
+          <input spellcheck='false' type='password' name='@confirm@password'>
         </td>
       </tr>
       {% if request.user.hasPermission('Web Roles') %}

share/roundup/templates/minimal/html/page.html

@@ -130,7 +130,7 @@ <h2><span metal:define-slot="body_title">body title</span></h2>
    <p class="userblock">
     <b i18n:translate="">Login</b><br>
     <input size="10" required name="__login_name"><br>
-    <input size="10" type="password" required name="__login_password"><br>
+    <input size="10" type="password" spellcheck="false" required name="__login_password"><br>
     <input name="@csrf" type="hidden"
            tal:attributes="value python:utils.anti_csrf_nonce()">
     <input type="hidden" name="@action" value="Login">
@@ -338,8 +338,8 @@ <h2><span metal:define-slot="body_title">body title</span></h2>
     tal:attributes="id name; name name; value value; readonly not:edit_ok"
     value="heinz">
 <!-- password: type; no initial value -->
-    <input metal:define-macro="user_pw_input" type="password"
+    <input metal:define-macro="user_pw_input" spellcheck="false" type="password"
     tal:attributes="id name; name name; readonly not:edit_ok" value="">
-    <input metal:define-macro="user_confirm_input" type="password"
+    <input metal:define-macro="user_confirm_input" spellcheck="false" type="password"
     tal:attributes="id string:confirm_$name; name string:@confirm@$name; readonly not:edit_ok" value="">