From 4822eed99dc20742fcea5c31c9a9a192188a53e0 Mon Sep 17 00:00:00 2001 From: wxiaoguang Date: Tue, 19 Oct 2021 06:08:41 +0800 Subject: [PATCH] Disable form autofill (#17291) ]* fix aria-hidden and tabindex * use {{template "base/disable_form_autofill"}} instead of {{DisableFormAutofill}} Co-authored-by: zeripath --- templates/admin/auth/edit.tmpl | 2 +- templates/admin/auth/new.tmpl | 1 + templates/admin/auth/source/ldap.tmpl | 1 - templates/admin/user/edit.tmpl | 2 +- templates/admin/user/new.tmpl | 2 +- templates/base/disable_form_autofill.tmpl | 31 ++++++++++++++++++++++ templates/repo/migrate/git.tmpl | 2 +- templates/repo/migrate/onedev.tmpl | 2 +- templates/repo/settings/options.tmpl | 7 ++--- templates/repo/settings/webhook/gitea.tmpl | 2 +- templates/repo/settings/webhook/gogs.tmpl | 2 +- templates/user/settings/account.tmpl | 3 ++- web_src/less/_base.less | 9 ++++--- 13 files changed, 51 insertions(+), 15 deletions(-) create mode 100644 templates/base/disable_form_autofill.tmpl diff --git a/templates/admin/auth/edit.tmpl b/templates/admin/auth/edit.tmpl index 2f77e9bd801d..e7215e2e1af0 100644 --- a/templates/admin/auth/edit.tmpl +++ b/templates/admin/auth/edit.tmpl @@ -8,6 +8,7 @@
+ {{template "base/disable_form_autofill"}} {{.CsrfTokenHtml}}
@@ -55,7 +56,6 @@
-
diff --git a/templates/admin/auth/new.tmpl b/templates/admin/auth/new.tmpl index 13e1366c874e..b8e80dbcaaa0 100644 --- a/templates/admin/auth/new.tmpl +++ b/templates/admin/auth/new.tmpl @@ -8,6 +8,7 @@
+ {{template "base/disable_form_autofill"}} {{.CsrfTokenHtml}}
diff --git a/templates/admin/auth/source/ldap.tmpl b/templates/admin/auth/source/ldap.tmpl index b553502b9402..9ea0fdf8c060 100644 --- a/templates/admin/auth/source/ldap.tmpl +++ b/templates/admin/auth/source/ldap.tmpl @@ -30,7 +30,6 @@
-
diff --git a/templates/admin/user/edit.tmpl b/templates/admin/user/edit.tmpl index 60cd8ad52321..fb0ccd22bb5f 100644 --- a/templates/admin/user/edit.tmpl +++ b/templates/admin/user/edit.tmpl @@ -8,6 +8,7 @@
+ {{template "base/disable_form_autofill"}} {{.CsrfTokenHtml}}
@@ -67,7 +68,6 @@
-
diff --git a/templates/admin/user/new.tmpl b/templates/admin/user/new.tmpl index 0de1a5c7757e..27ad28842ad0 100644 --- a/templates/admin/user/new.tmpl +++ b/templates/admin/user/new.tmpl @@ -8,6 +8,7 @@
+ {{template "base/disable_form_autofill"}} {{.CsrfTokenHtml}}
@@ -61,7 +62,6 @@
-
diff --git a/templates/base/disable_form_autofill.tmpl b/templates/base/disable_form_autofill.tmpl new file mode 100644 index 000000000000..6f06395bedb3 --- /dev/null +++ b/templates/base/disable_form_autofill.tmpl @@ -0,0 +1,31 @@ +{{/* +Why we need to disable form autofill: +1. Many pages contain different password inputs for different usages, eg: repo setting, autofill will make a mess. +2. We have `areYouSure` confirm dialog if a user leaves a pages without submit. +Autofill will make the form changed even if the user didn't input anything. Then the user keeps seeing annoying confirm dialog. + +In history, Gitea put `` in forms to bypass the autofill, +but there were still many forms suffered the autofill problem. + +Now we improve it. + +Solutions which do NOT work: +1. Adding `autocomplete=off` doesn't help. New Chrome completely ignores it. +2. Use a JavaScript to run in a few seconds later after the page is loaded to process the autofilled inputs, it doesn't work. +Because for security reason, the inputs won't be filled before the user makes an interaction in the page. +So we can not predict the correct time to run the JavaScript code. + +Solutions which work: +1. Some hacky methods like: https://github.com/matteobad/detect-autofill +2. This solution: use invisible inputs. Be aware of: +(a) The inputs must be at the beginning of the form, and can not be hidden. +(b) The input for username must have a valid name. +(c) There should be no negative word (eg: fake) in the `name` attribute. +(d) Chrome seems to use a weighted algorithm to choose an input to fill text, so the using "username" as input name is better than using "user". +We make the names of these dummy inputs begin with an underline to indicate it is for special usage, +and these dummy form values won't be used by backend code. +*/}} + diff --git a/templates/repo/migrate/git.tmpl b/templates/repo/migrate/git.tmpl index 6525a9b4f50c..39f47b27c786 100644 --- a/templates/repo/migrate/git.tmpl +++ b/templates/repo/migrate/git.tmpl @@ -3,6 +3,7 @@
+ {{template "base/disable_form_autofill"}} {{.CsrfTokenHtml}}

{{.i18n.Tr "repo.migrate.migrate" .service.Title}} @@ -21,7 +22,6 @@

-
diff --git a/templates/repo/migrate/onedev.tmpl b/templates/repo/migrate/onedev.tmpl index def366f9d8da..3dcc253d2ebf 100644 --- a/templates/repo/migrate/onedev.tmpl +++ b/templates/repo/migrate/onedev.tmpl @@ -3,6 +3,7 @@
+ {{template "base/disable_form_autofill"}} {{.CsrfTokenHtml}}

{{.i18n.Tr "repo.migrate.migrate" .service.Title}} @@ -22,7 +23,6 @@

-
diff --git a/templates/repo/settings/options.tmpl b/templates/repo/settings/options.tmpl index 3a446611236e..211b7da8e7cf 100644 --- a/templates/repo/settings/options.tmpl +++ b/templates/repo/settings/options.tmpl @@ -9,6 +9,7 @@
+ {{template "base/disable_form_autofill"}} {{.CsrfTokenHtml}}
@@ -104,6 +105,7 @@ + {{template "base/disable_form_autofill"}} {{.CsrfTokenHtml}}
@@ -132,7 +134,6 @@
-
@@ -195,11 +196,12 @@ + {{template "base/disable_form_autofill"}} {{.CsrfTokenHtml}}
- +

{{.i18n.Tr "repo.mirror_address_desc"}}

@@ -211,7 +213,6 @@
-
diff --git a/templates/repo/settings/webhook/gitea.tmpl b/templates/repo/settings/webhook/gitea.tmpl index bd91ce9e9caf..09c49500a4e1 100644 --- a/templates/repo/settings/webhook/gitea.tmpl +++ b/templates/repo/settings/webhook/gitea.tmpl @@ -1,6 +1,7 @@ {{if eq .HookType "gitea"}}

{{.i18n.Tr "repo.settings.add_webhook_desc" "https://docs.gitea.io/en-us/webhooks/" | Str2html}}

+ {{template "base/disable_form_autofill"}} {{.CsrfTokenHtml}}
@@ -30,7 +31,6 @@
-
diff --git a/templates/repo/settings/webhook/gogs.tmpl b/templates/repo/settings/webhook/gogs.tmpl index 05fcbe6a5e4b..3a833ddbdcb0 100644 --- a/templates/repo/settings/webhook/gogs.tmpl +++ b/templates/repo/settings/webhook/gogs.tmpl @@ -1,6 +1,7 @@ {{if eq .HookType "gogs"}}

{{.i18n.Tr "repo.settings.add_webhook_desc" "https://docs.gitea.io/en-us/webhooks/" | Str2html}}

+ {{template "base/disable_form_autofill"}} {{.CsrfTokenHtml}}
@@ -18,7 +19,6 @@
-
diff --git a/templates/user/settings/account.tmpl b/templates/user/settings/account.tmpl index 5be3d5dc5180..9ed5d3a6dd1a 100644 --- a/templates/user/settings/account.tmpl +++ b/templates/user/settings/account.tmpl @@ -9,6 +9,7 @@
{{if or (.SignedUser.IsLocal) (.SignedUser.IsOAuth2)}} + {{template "base/disable_form_autofill"}} {{.CsrfTokenHtml}} {{if .SignedUser.IsPasswordSet}}
@@ -178,8 +179,8 @@ {{ end }}
+ {{template "base/disable_form_autofill"}} {{.CsrfTokenHtml}} -
diff --git a/web_src/less/_base.less b/web_src/less/_base.less index 4e2782a4c8ce..59585b39e4b8 100644 --- a/web_src/less/_base.less +++ b/web_src/less/_base.less @@ -962,10 +962,13 @@ a.ui.card:hover, } .form { - .fake { - display: none !important; + .autofill-dummy { + position: absolute; + width: 1px; + height: 1px; + overflow: hidden; + z-index: -10000; } - .sub.field { margin-left: 25px; }