Skip to content

autocomplete for hidden type #59294

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
lxregistry opened this issue Dec 24, 2024 · 3 comments
Closed

autocomplete for hidden type #59294

lxregistry opened this issue Dec 24, 2024 · 3 comments
Labels
Bug Form Status: Needs Review

Comments

@lxregistry
Copy link

lxregistry commented Dec 24, 2024
edited
Loading

Symfony version(s) affected

7.2.1

Description

this field is auto-generated by symfony:
<input type="hidden" id="message__token" name="message[_token]" data-controller="csrf-protection" autocomplete="off" value="csrf-token" />

this is the error from validator.w3.org:

An input element with a type attribute whose value is hidden must not have an autocomplete attribute whose value is on or off.

How to reproduce

create a simple contact form

Possible Solution

why autocomplete for a hidden field?

Additional Context

No response
@lxregistry lxregistry added the Bug label Dec 24, 2024
@GromNaN
Copy link
Member

GromNaN commented Dec 24, 2024
edited
Loading

I guess it's to make sure the field isn't going to be autocomplete, which would make it impossible to submit the form. This attribute was added in 7.2 by 27d8a31.

According to Mozilla docs

If including the autocomplete attribute on hidden input elements (), its value must be an ordered list of space-separated tokens; the on and off keywords are not allowed.

But also, the spec allows it for a specific use-case.

On an input element whose type attribute is in the Hidden state, the autocomplete attribute wears the autofill anchor mantle.

@GromNaN GromNaN mentioned this issue Dec 24, 2024
Merged
@stof
Copy link
Member

stof commented Dec 24, 2024

@GromNaN the spec allows the autocomplete attribute on such input, but not with a off value.

@xabbuh xabbuh mentioned this issue Dec 24, 2024
Merged
@xabbuh
Copy link
Member

xabbuh commented Dec 24, 2024

see #59296

@xabbuh xabbuh added Form and removed Security labels Dec 24, 2024
nicolas-grekas added a commit that referenced this issue Jan 6, 2025
@nicolas-grekas
bug #59296 [Form] do not render hidden CSRF token forms with autocomp…
f6dcd9f 
…lete set to off (xabbuh)

This PR was merged into the 7.2 branch.

Discussion
----------

[Form] do not render hidden CSRF token forms with autocomplete set to off

| Q             | A
| ------------- | ---
| Branch?       | 7.2
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Issues        | Fix #59294
| License       | MIT

Commits
-------

dcf17e6 do not render hidden CSRF token forms with autocomplete set to off
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Form Status: Needs Review
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@nicolas-grekas @GromNaN @stof @xabbuh @carsonbot @lxregistry