From 2124821e0078dda16e51c2a668558a331ef49156 Mon Sep 17 00:00:00 2001 From: Chris Hill-Scott Date: Mon, 15 Feb 2016 13:05:25 +0000 Subject: [PATCH] =?UTF-8?q?Don=E2=80=99t=20allow=20autocomplete=20on=20reg?= =?UTF-8?q?ister=20page?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is a potential attack vector which was highlighted by the pen test. Setting autocomplete to `nope` (or any random string) is the most comprehensive way of telling browsers not to autocomplete a form according to: https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion --- app/templates/views/register.html | 2 +- app/templates/views/signin.html | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/app/templates/views/register.html b/app/templates/views/register.html index 01e86f1ed..dd13e1014 100644 --- a/app/templates/views/register.html +++ b/app/templates/views/register.html @@ -14,7 +14,7 @@ Create an account – GOV.UK Notify

If you've used GOV.UK Notify before, sign in to your account.

-
+ {{ textbox(form.name, width='3-4') }} {{ textbox(form.email_address, hint="Your email address must end in .gov.uk", width='3-4') }} {{ textbox(form.mobile_number, width='3-4') }} diff --git a/app/templates/views/signin.html b/app/templates/views/signin.html index 44906ff98..d08778e0e 100644 --- a/app/templates/views/signin.html +++ b/app/templates/views/signin.html @@ -14,7 +14,7 @@

If you do not have an account, you can register for one now.

- + {{ textbox(form.email_address) }} {{ textbox(form.password) }} {{ page_footer("Continue", secondary_link=url_for('.forgot_password'), secondary_link_text="Forgotten password?") }}