From e72b7c6cfd3133e2beeeea5156c2bd5b620475d4 Mon Sep 17 00:00:00 2001
From: Benjamin Franzke <ben@bnf.dev>
Date: Wed, 7 Feb 2024 10:10:55 +0100
Subject: [PATCH] [BUGFIX] Avoid autocompletion in TCA type password

The autocomplete="off" parameter is ignored by current browsers,
autocomplete="new-password" is to be used for disable autocompletion.

The explicit request for autocompleting the password is
autocomplete="current-password", which is now used in case config TCA
autocomplete is set.

See following article for more information:
 * https://web.dev/articles/sign-in-form-best-practices#new-password
 * https://web.dev/articles/sign-in-form-best-practices#current-password

Resolves: #103067
Related: #97104
Releases: main, 12.4
Change-Id: Ice3c7a50020d7e17b14c51dc89c1c8e1700fe9a6
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/82836
Tested-by: Benjamin Franzke <ben@bnf.dev>
Reviewed-by: Benjamin Franzke <ben@bnf.dev>
Tested-by: core-ci <typo3@b13.com>
---
 typo3/sysext/backend/Classes/Form/Element/PasswordElement.php | 2 +-
 .../Changelog/12.0/Feature-97104-NewTCATypePassword.rst       | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/typo3/sysext/backend/Classes/Form/Element/PasswordElement.php b/typo3/sysext/backend/Classes/Form/Element/PasswordElement.php
index 755219b5be06..0ad9ec1c75ca 100644
--- a/typo3/sysext/backend/Classes/Form/Element/PasswordElement.php
+++ b/typo3/sysext/backend/Classes/Form/Element/PasswordElement.php
@@ -134,7 +134,7 @@ class PasswordElement extends AbstractFormElement
             $attributes['placeholder'] = trim($config['placeholder']);
         }
 
-        $attributes['autocomplete'] = ($config['autocomplete'] ?? false) ? 'new-' . $fieldName : 'off';
+        $attributes['autocomplete'] = ($config['autocomplete'] ?? false) ? 'current-password' : 'new-password';
 
         $fieldControlResult = $this->renderFieldControl();
         $fieldControlHtml = $fieldControlResult['html'];
diff --git a/typo3/sysext/core/Documentation/Changelog/12.0/Feature-97104-NewTCATypePassword.rst b/typo3/sysext/core/Documentation/Changelog/12.0/Feature-97104-NewTCATypePassword.rst
index 71a83ef1580a..f83eca70d251 100644
--- a/typo3/sysext/core/Documentation/Changelog/12.0/Feature-97104-NewTCATypePassword.rst
+++ b/typo3/sysext/core/Documentation/Changelog/12.0/Feature-97104-NewTCATypePassword.rst
@@ -21,9 +21,9 @@ TCA type :php:`password` has been added. It replaces the :php:`eval=password`
 and :php:`eval=saltedPassword` option of TCA type :php:`input`.
 
 TCA password fields will be rendered as input :php:`type=password` fields.
-By default, the :php:`autocomplete=off` attribute will be added to the
+By default, the :php:`autocomplete=new-password` attribute will be added to the
 resulting input field. If :php:`autocomplete=true` is configured in TCA, a
-:php:`autocomplete=new-fieldname` attribute will be added to the element.
+:php:`autocomplete=current-password` attribute will be added to the element.
 
 The TCA type :php:`password` features the following column configuration:
 
-- 
GitLab