Mercurial > p > roundup > code
diff doc/upgrading.txt @ 8058:0e382e97f0e3
fix: disable spellchecking for password fields
Some browser can send password to a server for spellchecking. This
gives the browser a strong hint that they should not spellcheck a
password. Since a Password is not supposed to be a real word in any
language, spellchecking is worthless.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sun, 07 Jul 2024 10:49:40 -0400 |
| parents | 3ddc6a7d41de |
| children | 28aa76443f58 |
line wrap: on
line diff
--- a/doc/upgrading.txt Mon Jul 01 20:16:45 2024 -0400 +++ b/doc/upgrading.txt Sun Jul 07 10:49:40 2024 -0400 @@ -262,6 +262,41 @@ .. _issue2551282: https://issues.roundup-tracker.org/issue2551282 .. _issue2551115: https://issues.roundup-tracker.org/issue2551115 +Disable spellcheck on all password fields (recommended) +------------------------------------------------------- + +All tracker templates have been updated to disable spell checking on +password input fields. This can help prevent exposing the password to +an external server that provides spell checking for a browser. Since +passwords should not be real words in any language, spell checking +serves no purpose. + +If you have modified your template with a "show password" option you +should disable spell check. + +To implement this in your deployed trackers, add:: + + spellcheck="false" + +to make your password inputs look like:: + + <input type="password" spellcheck="false" name=....> + +The changed files in the classic/devel/responsive templates are: + +.. code-block:: text + + html/page.html + html/user.item.html + +and in the jinja2 template the following files were changed: + +.. code-block:: text + + html/user.item.html + html/user.register.html + html/layout/navigation.html + Add new classhelper to your templates (optional) ------------------------------------------------