Dojo Dijit's ValidationTextBox's dijitValidationIcon causes "X " to be saved as the username on login forms

NEW
Unassigned

Status

()

defect
P2
normal
4 months ago
4 months ago

People

(Reporter: MattN, Unassigned)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(firefox68 affected)

Details

(Whiteboard: [passwords:heuristics], )

User Story

Potential solutions:
A) Ignore a value of "X " for the username field detection
B) Ignore a match of .dijitValidationIcon for the username field detection
C) Ignore elements with `tabIndex="-1"` for the username field detection
D) Ignore elements with`readonly="readonly"` for the username field detection
E) Ignore elements with `role="presentation"` for the username field detection

Options C through E have the problem that they give sites additional ways to prevent saving data though maybe this is less of an issue for username fields than password fields. Keep in mind that attribute values could change at any point so, for example, @readonly at save time doesn't mean it was always read-only.

We don't have much precedence for doing something like (A) or (B) outside recipes… we had talked before about having recipes that can understand frameworks that are used… I also though before about having global recipes to keep the complexity outside of LoginManagerContent.
<input class="dijitReset dijitInputField dijitValidationIcon dijitValidationInner" value="&#935; "
       type="text" tabIndex="-1" readonly="readonly" role="presentation"/>

Source: https://github.com/dojo/dijit/blame/cf03701f919c956a02b0a04cf09f8c5593302fb9/form/templates/ValidationTextBox.html#L4

I don't understand why an <input> is used here rather than an <img> or a <div>.

Affected Sites (feel free to edit to add to this list):

This seems like a very specific problem, so I'm not sure it needs a generalized solution - with the risks that carries of opening new means of abuse and affecting other legitimate uses. A recipe sounds like a good mechanism, but I guess the problem is how to implement that without imposing a runtime penalty on every site using a form.

You need to log in before you can comment on or make changes to this bug.