protecting input type="password"

admin/login.php

@@ -62,7 +62,7 @@ $c['main'] = '
   ' . $false_password . '
   <form action="login.php" method="post" accept-charset="UTF-8">
    <p><label for="password">' . $l['admin']['login_password'] . '</label>
-      <input class="userdata" id="password" type="password" name="password" autocomplete="off" spellcheck="false" writingsuggestions="false"/>
+      <input class="userdata" id="password" type="password" name="password" '.NO_PASSWORD_FORM_LEAKS.'/>
       <input style="display: none;" name="username" type="text" value="do-not-change" /></p>
    <p><input type="hidden" name="url" value="' . htmlspecialchars(!empty($get['url']) ? $get['url'] : '') . '" />
       <button value="' . $btnValue . '">' . $btnValue . '</button></p>

scripts/JlogUpdater.php

@@ -43,7 +43,7 @@ class JlogUpdater
     {
         $html = '<form action="' . $_SERVER['SCRIPT_NAME'] . '" method="post">'
               . '<p>' . $l['admin']['e_admin_password'] . ': '
-              . '<input type="password" name="jlog_password" value="" />'
+              . '<input type="password" name="jlog_password" value="" '.NO_PASSWORD_FORM_LEAKS.'/>'
               . '</p>';
         $version = $this->getOldVersion();
         while (isset($this->versions[$version])) {

scripts/general.func.php

@@ -1,4 +1,8 @@
 <?php
+// Attributes for <input type="password"> to prevent password leaks to
+// "intelligent" browser services if toggled to text for showing the password.
+define('NO_PASSWORD_FORM_LEAKS', 'autocomplete="off" spellcheck="false" writingsuggestions="false"');
+
 // get weblog link
 function blog($date, $url, $section = 'weblog') {
         if($section == 'weblog' OR $section == 'comment') {

scripts/settings.class.php

@@ -331,9 +331,9 @@ class Settings {
            <p><label for='publisher'>".$this->l['admin']['m_publisher']."</label><br />
               <input class='userdata' id='publisher' name='jlog_publisher' type='text' size='20' maxlength='255' value='".$this->defaultValue($data, 'jlog_publisher')."' /></p>
            <p><label for='admin_password'>".$this->l['admin']['m_admin_password'].$admincenter_password."</label><br />
-              <input class='userdata' id='admin_password' name='jlog_admin_password' type='password' size='20' maxlength='255' /></p>
+              <input class='userdata' id='admin_password' name='jlog_admin_password' type='password' size='20' maxlength='255'".NO_PASSWORD_FORM_LEAKS."/></p>
            <p><label for='admin_password_again'>".$this->l['admin']['m_admin_password_again'].$admincenter_password."</label><br />
-              <input class='userdata' id='admin_password_again' name='jlog_admin_password_again' type='password' size='20' maxlength='255' /></p>
+              <input class='userdata' id='admin_password_again' name='jlog_admin_password_again' type='password' size='20' maxlength='255'".NO_PASSWORD_FORM_LEAKS."/></p>
            <p><label for='email'>".$this->l['admin']['m_email']."</label><br />
               <input class='userdata' id='email' name='jlog_email' type='text' size='20' maxlength='255' value='".$this->defaultValue($data, 'jlog_email')."' /></p>
            <p><label for='description'>".$this->l['admin']['m_description']."</label><br />
@@ -373,7 +373,7 @@ class Settings {
            <p><label for='db_user'>".$this->l['admin']['m_db_user']."</label><br />
               <input class='userdata' id='db_user' name='jlog_db_user' type='text' size='20' maxlength='255' value='".$this->defaultValue($data, 'jlog_db_user')."' /></p>
            <p><label for='db_pwd'>".$this->l['admin']['m_db_pwd']."</label><br />
-              <input class='userdata' id='db_pwd' name='jlog_db_pwd' type='password' size='20' maxlength='255' value='".$this->defaultValue($data, 'jlog_db_pwd')."' /></p>
+              <input class='userdata' id='db_pwd' name='jlog_db_pwd' type='password' size='20' maxlength='255' value='".$this->defaultValue($data, 'jlog_db_pwd').'\' '.NO_PASSWORD_FORM_LEAKS."/></p>
            <p><label for='db_prefix'>".$this->l['admin']['m_db_prefix']."</label><br />
               <input class='userdata' id='db_prefix' name='jlog_db_prefix' type='text' size='20' maxlength='255' value='".$this->defaultValue($data, 'jlog_db_prefix')."' />
               <input name='jlog_start_year' type='hidden' value='".$this->defaultValue($data, 'jlog_start_year', date("Y"))."' /></p>
@@ -384,7 +384,7 @@ class Settings {
         }
     
         $form .= "
-          <p><input type='submit' class='button' value='".$this->l['admin']['submit']."' /></p>
+          <p><button value='{$this->l['admin']['submit']}'>{$this->l['admin']['submit']}</button></p>
          </form>
          ";