Fixed Register form: Use autocomplete="new-password" instead of autocomplete="off" for password field

[Steffen]

Affected version

2.1.1

While investigating an autofill issue in Chrome 73, I've noticed that XenForo uses autocomplete="off" for the password field in the register form. I'm not aware of specific issues caused by this decision but it'd probably good to follow the recommendation to use autocomplete="new-password" (on the change password form, too). See: https://www.chromium.org/developers/design-documents/form-styles-that-chromium-understands

Add an autocomplete attribute with a value of new-password for the password field on sign-up and change-password forms.

See also: https://developers.google.com/web/f..._input_name_and_autocomplete_attribute_values

 

[Steffen]

This patch only changes the password change form and should not cause any problems:

--- a/src/addons/XF/_data/templates.xml
+++ b/src/addons/XF/_data/templates.xml
@@ -26195,14 +26195,14 @@ pre.code
             <hr class="formRowSep" />
 
             <xf:if is="$hasPassword">
-                <xf:passwordboxrow name="old_password" autofocus="autofocus"
+                <xf:passwordboxrow name="old_password" autocomplete="current-password" autofocus="autofocus"
                     label="{{ phrase('your_existing_password') }}"
                     explain="{{ phrase('you_must_verify_existing_password_before_changing') }}" />
 
-                <xf:passwordboxrow name="password" checkstrength="true"
+                <xf:passwordboxrow name="password" autocomplete="new-password" checkstrength="true"
                     label="{{ phrase('new_password') }}" />
 
-                <xf:passwordboxrow name="password_confirm"
+                <xf:passwordboxrow name="password_confirm" autocomplete="new-password"
                     label="{{ phrase('confirm_new_password') }}" />
             <xf:else />
                 <xf:formrow label="{{ phrase('password') }}">

This patch applies the autocomplete changes to the register form (it could maybe reduce the effectiveness of XenForo's "Spam catcher fields"):

--- a/src/addons/XF/_data/templates.xml
+++ b/src/addons/XF/_data/templates.xml
@@ -60682,7 +60682,7 @@ button,hr,input{overflow:visible}audio,canvas,progress,video{display:inline-bloc
                     explain="{{ phrase('please_leave_this_field_blank') }}" />
             </xf:if>
 
-            <xf:passwordboxrow name="{{ $regForm.getFieldName('password') }}" autocomplete="off"
+            <xf:passwordboxrow name="{{ $regForm.getFieldName('password') }}" autocomplete="new-password"
                 label="{{ phrase('password') }}"
                 hint="{{ phrase('required') }}"
                 required="required" checkstrength="true" />
@@ -60714,7 +60714,7 @@ button,hr,input{overflow:visible}audio,canvas,progress,video{display:inline-bloc
     arg-value=""
     arg-autoFocus="{{ true }}">
 
-    <xf:textboxrow name="{$fieldName}" value="{$value}" autocomplete="off" required="required"
+    <xf:textboxrow name="{$fieldName}" value="{$value}" autocomplete="username" required="required"
         autofocus="{{ $autoFocus ? 'autofocus' : false }}"
         maxlength="{{ $xf.options.usernameLength.max ?: max_length($xf.visitor, 'username') }}"
         label="{{ phrase('user_name') }}"
@@ -60726,7 +60726,7 @@ button,hr,input{overflow:visible}audio,canvas,progress,video{display:inline-bloc
     arg-fieldName="email"
     arg-value="">
 
-    <xf:textboxrow name="{$fieldName}" value="{$value}" type="email" autocomplete="off" required="required"
+    <xf:textboxrow name="{$fieldName}" value="{$value}" type="email" autocomplete="email" required="required"
         maxlength="{{ max_length($xf.visitor, 'email') }}"
         label="{{ phrase('email') }}"
         hint="{{ phrase('required') }}" />

 

[XF Bug Bot]

Thank you for reporting this issue. It has now been resolved and we are aiming to include it in a future XF release (2.1.2).

Change log:

Correctly support specific autocomplete attribute types for registration and password changes.

Any changes made as a result of this issue being resolved may not be rolled out here until later.