Logged in as Admin, site is in Maintenance Mode.
Go to do an Admin registration for a new member and some of the Admin data is auto filled. See attachment.
Have to look but first guess is that we are missing a couple of autocomplete="off" statements in that form.
Latest Chrome doesn't respect autocomplete="off" anyway.. :|
Arg ... and I see IE11 will ignore it on password fields as well, preferring to use its internal smarts.
I'll add it to the form as a start which will help with some browsers. Past that, don't know, randomize the input name or some JS to try and prevent it.
Yep, I read the same about Chrome and Safari: they are going to ignore autocomplete=offI'd guess some javascript to cleanup the forms that need to be empty on $(document).ready.
Here is an attempt: https://github.com/Spuds/Elkarte/commit/1beca50f0b2f90da27a70992d997453930a20256
We already had some JS to add "autocomplete off" in profile.js
I've moved that to script_elk.js since we may need it in a few more places. I also updated it to use JQuery. In addition to adding the autocomplete=off I added in a .val('') to empty anything it may have been added. No idea if that will work or not or if its even a good idea. At least its a central function to work on/with for this issue.
Chrome is still loading the data... apparently they are added (by chrome), removed (by Elk), and then added again. >_<
I tried with a timed out call like that:
/**
* Attempt to prevent browsers from auto completing fields when viewing/editing other members profiles
* or when register new member
*/
function disableAutoComplete()
{
if (document.addEventListener)
document.addEventListener("DOMContentLoaded", delay_disableAutoCompleteNow, false);
}
function delay_disableAutoCompleteNow()
{
setTimeout(function() {disableAutoCompleteNow();}, 100);
}
/**
* Once DOMContentLoaded is triggered, find text and password fields in the forms
* turn autocomplete off and sempty the value.
*/
function disableAutoCompleteNow()
{
$("input[type=text]").attr("autocomplete", "off").val('');
$("input[type=email]").attr("autocomplete", "off").val('');
$("input[type=password]").attr("autocomplete", "off").val('');
}
it works, but is really a bit odd... :-\
Well at least you found something that works. I have not tried this: http://benjaminjshore.info/2014/05/chrome-auto-fill-honey-pot-hack.html but maybe that would work as well?
Only other thing that I can think of is the random name thing on the field like done in auto suggest (I think).
Nice finding! :D
That looks rather neat.
Hey
@Spuds Give this a try
$(document).ready(function(){
$(‘:input’).on(‘focus’,function(){
$(this).attr(‘autocomplete’, ‘off’);
});
});
Nope, already tried, doesn't work.
Chrome re-adds the user and password even if you remove them on document.ready.
Funny how we get this nice new feature in html5 only to have the browsers know better :P
Could try it as a load event, that should occur after dom ready ... so thats as late in the process as possible I think, may negate the need for the delay? Have not had a chance to try the honeypot approach in that blog, so if someone has time to give that a shot, please do, I'm stilling fidgeting with the darn linktree !
Forgot the basics of ready and onload :-X. Joker is getting old :D
Yup, tried the honeypot thing and it worked well with latest chrome (35.0.1916.153) on mac. But being a JS fan I wrote another snippet and the autocomplete issue got fixed with that too. Which approach seems better?
window.onload = function() {
if (navigator.userAgent.toLowerCase().indexOf("chrome") >= 0) {
setTimeout(function() {
console.log("calling");
$(".input_text").val(" ").val("");
$(".input_password").val(" ").val("");
}, 1);
}
};
Coolness ...
The honeypot is good for some cases, when you add it anything below that point will not autofill so its not very selective or you have to arrange your form just right. On the plus side it will work with JS off, so for some that could be a plus.
We should really just add that timeout function for all browsers, its not going to hurt anything and allows us to call it as needed for more specific targeting.
/me likes
+1
Ohh, yup thats sound nice. Actually I was having some fun with chrome, as a result the checked slipped in.
So I think we should move forward with honeypot approach and keep the JS approach as a back up, thoughts?
Agreed ... I think thats what we have in the repo now as well (its all a blur :D). The hidden field is named autofill_honey_pot in hopes that when someones finds it they don't think we are nuts for to long.
Recalling this, since it still seems to be a thing with Safari on macOS. It just delay fills the form regardless of what I do. It's especially annoying on user profile edits, where it fills out the user's email address field with my user name.