[
https://issues.apache.org/struts/browse/STR-2810?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=46371#action_46371
]
Jim Manico edited comment on STR-2810 at 7/18/09 4:24 PM:
----------------------------------------------------------
I'm a big fan of Struts 1.3.x. I currently use Struts 1.3.10, the latest
release of the 1.x Struts line.
I would like the ability to disable autocomplete in an HTML form. Sadly (from a
security perspective), most every browser **enables** autocomplete by default.
We need to explicitly say autocomplete="off" in both the form and form element
tags of HTML 4.01+ pages in order to gain the very basic security protection of
being able to disable autocomplete via markup, regardless of the users browser
settings. Preventing the browser from caching credit card number, PII and other
critical user data is a no-brainier; appsec 101.
Now, the recent 1.3.10 release made a great stride in this direction.
But it's still not enabled by default! I need to modify the tld in order to
enable the autocomplete form and form element attribute; which takes me off the
main branch of Struts 1.3.x.
I implore you to consider enabling autocomplete by default, so we can turn it
off - without having to customize our version of struts 1.3.x! The best
security is "secured by default", and this request moves us in that direction.
Jim Manico
OWASP, Intrinsic Security Working Group
was (Author: jmanico):
I would like the ability to disable autocomplete in an HTML form. This is
really a basic security principle that all modern browsers support even when
rendering 4.01 transitional. Sadly, by default, most every browser enables
autocomplete. We need to explicitly say autocomplete="off" in order to gain
this very basic security protection. Preventing the browser from caching credit
card number and the like is a no-brainier; appsec 101.
Now, the recent 1.3.10 release made a great stride in this direction. But
still, I need to modify the tld in order to turn off autocomplete; which takes
me off the main branch of Struts 1.3.x
I implore you to consider enabling autocomplete by default, so we can turn it
off - for real! :)
The best security is "secured by default".
> autocomplete attribute
> ----------------------
>
> Key: STR-2810
> URL: https://issues.apache.org/struts/browse/STR-2810
> Project: Struts 1
> Issue Type: Improvement
> Components: Tag Libraries
> Affects Versions: 1.3.1
> Environment: Operating System: other
> Platform: All
> Reporter: Mark Lowe
> Assignee: Niall Pemberton
> Priority: Minor
> Fix For: 1.3.10, 1.4.0
>
> Attachments: BaseInputTag.java.patch.java, FormTag.java.patch.java,
> struts-html.tld.patch
>
>
> the non standard attribute autocomplete cannot be deactivated (i.e.
> autocomplete="off" ) without
> subclassing the tag class itself and editing tld files, effectively forking
> from the struts code base.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
