From 46f9843a0372317a30d0baab231f5c83dc449a86 Mon Sep 17 00:00:00 2001
From: RobbBienert <robertbienert@gmx.net>
Date: Sun, 6 Oct 2024 01:13:28 +0200
Subject: [PATCH] protecting input type="password"

---
 admin/login.php            | 2 +-
 scripts/JlogUpdater.php    | 2 +-
 scripts/general.func.php   | 4 ++++
 scripts/settings.class.php | 8 ++++----
 4 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/admin/login.php b/admin/login.php
index 02a5b8c..3336a8e 100644
--- a/admin/login.php
+++ b/admin/login.php
@@ -62,7 +62,7 @@ $c['main'] = '
   ' . $false_password . '
   <form action="login.php" method="post" accept-charset="UTF-8">
    <p><label for="password">' . $l['admin']['login_password'] . '</label>
-      <input class="userdata" id="password" type="password" name="password" autocomplete="off" spellcheck="false" writingsuggestions="false"/>
+      <input class="userdata" id="password" type="password" name="password" '.NO_PASSWORD_FORM_LEAKS.'/>
       <input style="display: none;" name="username" type="text" value="do-not-change" /></p>
    <p><input type="hidden" name="url" value="' . htmlspecialchars(!empty($get['url']) ? $get['url'] : '') . '" />
       <button value="' . $btnValue . '">' . $btnValue . '</button></p>
diff --git a/scripts/JlogUpdater.php b/scripts/JlogUpdater.php
index 28ee773..54dba9d 100644
--- a/scripts/JlogUpdater.php
+++ b/scripts/JlogUpdater.php
@@ -43,7 +43,7 @@ class JlogUpdater
     {
         $html = '<form action="' . $_SERVER['SCRIPT_NAME'] . '" method="post">'
               . '<p>' . $l['admin']['e_admin_password'] . ': '
-              . '<input type="password" name="jlog_password" value="" />'
+              . '<input type="password" name="jlog_password" value="" '.NO_PASSWORD_FORM_LEAKS.'/>'
               . '</p>';
         $version = $this->getOldVersion();
         while (isset($this->versions[$version])) {
diff --git a/scripts/general.func.php b/scripts/general.func.php
index c7a684a..e3d9f07 100644
--- a/scripts/general.func.php
+++ b/scripts/general.func.php
@@ -1,4 +1,8 @@
 <?php
+// Attributes for <input type="password"> to prevent password leaks to
+// "intelligent" browser services if toggled to text for showing the password.
+define('NO_PASSWORD_FORM_LEAKS', 'autocomplete="off" spellcheck="false" writingsuggestions="false"');
+
 // get weblog link
 function blog($date, $url, $section = 'weblog') {
         if($section == 'weblog' OR $section == 'comment') {
diff --git a/scripts/settings.class.php b/scripts/settings.class.php
index 5684016..67e55ec 100644
--- a/scripts/settings.class.php
+++ b/scripts/settings.class.php
@@ -331,9 +331,9 @@ class Settings {
            <p><label for='publisher'>".$this->l['admin']['m_publisher']."</label><br />
               <input class='userdata' id='publisher' name='jlog_publisher' type='text' size='20' maxlength='255' value='".$this->defaultValue($data, 'jlog_publisher')."' /></p>
            <p><label for='admin_password'>".$this->l['admin']['m_admin_password'].$admincenter_password."</label><br />
-              <input class='userdata' id='admin_password' name='jlog_admin_password' type='password' size='20' maxlength='255' /></p>
+              <input class='userdata' id='admin_password' name='jlog_admin_password' type='password' size='20' maxlength='255'".NO_PASSWORD_FORM_LEAKS."/></p>
            <p><label for='admin_password_again'>".$this->l['admin']['m_admin_password_again'].$admincenter_password."</label><br />
-              <input class='userdata' id='admin_password_again' name='jlog_admin_password_again' type='password' size='20' maxlength='255' /></p>
+              <input class='userdata' id='admin_password_again' name='jlog_admin_password_again' type='password' size='20' maxlength='255'".NO_PASSWORD_FORM_LEAKS."/></p>
            <p><label for='email'>".$this->l['admin']['m_email']."</label><br />
               <input class='userdata' id='email' name='jlog_email' type='text' size='20' maxlength='255' value='".$this->defaultValue($data, 'jlog_email')."' /></p>
            <p><label for='description'>".$this->l['admin']['m_description']."</label><br />
@@ -373,7 +373,7 @@ class Settings {
            <p><label for='db_user'>".$this->l['admin']['m_db_user']."</label><br />
               <input class='userdata' id='db_user' name='jlog_db_user' type='text' size='20' maxlength='255' value='".$this->defaultValue($data, 'jlog_db_user')."' /></p>
            <p><label for='db_pwd'>".$this->l['admin']['m_db_pwd']."</label><br />
-              <input class='userdata' id='db_pwd' name='jlog_db_pwd' type='password' size='20' maxlength='255' value='".$this->defaultValue($data, 'jlog_db_pwd')."' /></p>
+              <input class='userdata' id='db_pwd' name='jlog_db_pwd' type='password' size='20' maxlength='255' value='".$this->defaultValue($data, 'jlog_db_pwd').'\' '.NO_PASSWORD_FORM_LEAKS."/></p>
            <p><label for='db_prefix'>".$this->l['admin']['m_db_prefix']."</label><br />
               <input class='userdata' id='db_prefix' name='jlog_db_prefix' type='text' size='20' maxlength='255' value='".$this->defaultValue($data, 'jlog_db_prefix')."' />
               <input name='jlog_start_year' type='hidden' value='".$this->defaultValue($data, 'jlog_start_year', date("Y"))."' /></p>
@@ -384,7 +384,7 @@ class Settings {
         }
     
         $form .= "
-          <p><input type='submit' class='button' value='".$this->l['admin']['submit']."' /></p>
+          <p><button value='{$this->l['admin']['submit']}'>{$this->l['admin']['submit']}</button></p>
          </form>
          ";