Do not autofill inputs meant for password recovery #1999
Conversation
|
Is there any news on this? I use PHPList a lot, and this shows the password in plaintext to anyone watching or recording the screen in videoconference meetings. |
There was a problem hiding this comment.
I'm usually hesitant to change autofill logic to fix a single site. It might break other sites or cause regressions, and we don't have any good automated testing to detect that.
However, this seems like a reasonable change in general, I can imagine this coming up for a few sites and I doubt we'd want to fill a password in these circumstances. The ignoreList is fairly targeted to begin with. Let's do it!
Unless there are any issues, this will be included in the November release. If you want to disable that field in the meantime, you can create a custom field for the input. Make it a Text custom field but leave the value empty and it should prevent anything else from being filled in that field.
Thanks for the PR!
This adds the fix I suggested in issue #1956 . I have tested it and it works.
Some websites have a form to recover forgotten password in the same page as the login form. Bitwarden incorrectly autofills that form when the input is named "forgotpassword", because it contains the word "password".
Here's an example: https://demo.phplist.org/lists/admin/