[BUGFIX] Avoid autocompletion in TCA type password

The autocomplete="off" parameter is ignored by current browsers, autocomplete="new-password" is to be used for disable autocompletion. The explicit request for autocompleting the password is autocomplete="current-password", which is now used in case config TCA autocomplete is set. See following article for more information: * https://web.dev/articles/sign-in-form-best-practices#new-password * https://web.dev/articles/sign-in-form-best-practices#current-password Resolves: #103067 Related: #97104 Releases: main, 12.4 Change-Id: Ice3c7a50020d7e17b14c51dc89c1c8e1700fe9a6 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/82836 Tested-by: Benjamin Franzke <ben@bnf.dev> Reviewed-by: Benjamin Franzke <ben@bnf.dev> Tested-by: core-ci <typo3@b13.com>

[BUGFIX] Avoid autocompletion in TCA type password
The autocomplete="off" parameter is ignored by current browsers, autocomplete="new-password" is to be used for disable autocompletion. The explicit request for autocompleting the password is autocomplete="current-password", which is now used in case config TCA autocomplete is set. See following article for more information: * https://web.dev/articles/sign-in-form-best-practices#new-password * https://web.dev/articles/sign-in-form-best-practices#current-password Resolves: #103067 Related: #97104 Releases: main, 12.4 Change-Id: Ice3c7a50020d7e17b14c51dc89c1c8e1700fe9a6 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/82836 Tested-by: Benjamin Franzke <ben@bnf.dev> Reviewed-by: Benjamin Franzke <ben@bnf.dev> Tested-by: core-ci <typo3@b13.com>
e72b7c6c · Benjamin Franzke · 6a1832a4 · e72b7c6c · e72b7c6c
Commit e72b7c6c authored 1 year ago by Benjamin Franzke
--- a/typo3/sysext/backend/Classes/Form/Element/PasswordElement.php
+++ b/typo3/sysext/backend/Classes/Form/Element/PasswordElement.php
@@ -134,7 +134,7 @@ class PasswordElement extends AbstractFormElement
            $attributes['placeholder'] = trim($config['placeholder']);
        }
-        $attributes['autocomplete'] = ($config['autocomplete'] ?? false) ? 'new-' . $fieldName : 'off';
+        $attributes['autocomplete'] = ($config['autocomplete'] ?? false) ? 'current-password' : 'new-password';
        $fieldControlResult = $this->renderFieldControl();
        $fieldControlHtml = $fieldControlResult['html'];

--- a/typo3/sysext/core/Documentation/Changelog/12.0/Feature-97104-NewTCATypePassword.rst
+++ b/typo3/sysext/core/Documentation/Changelog/12.0/Feature-97104-NewTCATypePassword.rst
@@ -21,9 +21,9 @@ TCA type :php:`password` has been added. It replaces the :php:`eval=password`
 and :php:`eval=saltedPassword` option of TCA type :php:`input`.
 TCA password fields will be rendered as input :php:`type=password` fields.
-By default, the :php:`autocomplete=off` attribute will be added to the
+By default, the :php:`autocomplete=new-password` attribute will be added to the
 resulting input field. If :php:`autocomplete=true` is configured in TCA, a
-:php:`autocomplete=new-fieldname` attribute will be added to the element.
+:php:`autocomplete=current-password` attribute will be added to the element.
 The TCA type :php:`password` features the following column configuration: