Jump to content
dev osCommerce
Forum
  • Checkout
  • Login
  • Contact Us
  • Get in touch

osCommerce

The e-commerce.

New Demo
Our Partners

How to Turn off Form Auto Complete?

Mort-lemur

By Mort-lemur
in Security

Recommended Posts

Mort-lemur

Mort-lemur

Posted
Posted

Hi,

 

Wrestling with some issues from a pci scan, one of which is as follows:

The remote web server contains form fields that allow for auto completion. Depending on the values entered into these fields, future users could obtain sensitive information previously entered by past users. Fields that contain sensitive information, such as credit card and social security numbers and passwords, must be disallowed from caching information.

 

My new web host has been excellent on all the fixes needed at his end and gave me the following info ref this problem:

To disable all entries in a form from being cached, the autocomplete value of the form tag must be set to "off", such as: <form

method="POST" action="handlepayment.asp" autocomplete="off"> The autocomplete attribute can also be used on an individual form element such as: <input type="password" autocomplete="off" name="password">.

 

I dont just want to leap in and start changing code, so I am looking for some advice from the security experts.

 

Many Thanks

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites
chadcloman

chadcloman

Posted
Posted

I am not a security "expert." That given, I have a few comments:

 

1) The autocomplete attribute is non-standard (it was created by Microsoft for IE5). I don't know if it works for all browsers.

 

2) The security warning is for a fairly generic situation, since autocomplete is really a function of the browser. But on shared computers with autocomplete enabled, this would be a problem.

 

3) The simplest action would be to disable autocomplete for all text <input> fields. This wouldn't be very difficult, just a couple changes to the html_output.php file.

Check out Chad's News.

Link to comment
Share on other sites
chadcloman

chadcloman

Posted
Posted

3) The simplest action would be to disable autocomplete for all text <input> fields. This wouldn't be very difficult, just a couple changes to the html_output.php file.

Correction, the easiest way to implement this for all inputs would be to modify the tep_draw_form() function (in html_output.php) such that all forms include 'autocomplete="off"' as a parameter.

 

Change this:

   if (tep_not_null($parameters)) $form .= ' ' . $parameters;

to this:

   $form .= ' autocomplete="off"';
   if (tep_not_null($parameters)) $form .= ' ' . $parameters;

Check out Chad's News.

Link to comment
Share on other sites
Mort-lemur

Mort-lemur

Posted
  • Author
Posted

Correction, the easiest way to implement this for all inputs would be to modify the tep_draw_form() function (in html_output.php) such that all forms include 'autocomplete="off"' as a parameter.

 

Change this:

   if (tep_not_null($parameters)) $form .= ' ' . $parameters;

to this:

   $form .= ' autocomplete="off"';
   if (tep_not_null($parameters)) $form .= ' ' . $parameters;

 

Thank you,

 

I have changed the code as you suggested, tested the site - seems OK, and have now submitted for another scan.

 

Thanks

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...