Why is this a problem? It's a client security problem, not something that hits the server in any particular way. If the desktop user configured his computer so that anyone can reclaim his password from the autocomplete list, that's his problem. You could "fix" Zope, but it wouldn't fix the thousands of other web sites which also do credit card. Afaik, autocompletion on forms is disabled by default. Alexander Staubo http://www.mop.no/~alex/ mailto:redhand@mop.no
-----Original Message----- From: anthony@nextTelecom.com [mailto:anthony@nextTelecom.com]On Behalf Of Anthony Baxter Sent: 12. mai 1999 16:38 To: zope@zope.org Subject: [Zope] IE5 form entry horror.
one of the customer service people here just pointed out something of a horror problem (a week before go-live, yay).
IE5 appears to have a client-side cache of form entry values - so if someone returns to a page, they get a drop-box of previously entered values for this form field - this occurs even on a form accessed by https. To say that I'm somewhat unimpressed by this utter misfeature is something of an understatement. Imagine a kiosk setup, with a registration screen prompting for (amongst other things) a credit card number. Gee, let's use one someone entered earlier - pull down a little scrolly box.
aiieieieie. One thought that comes to mind is to make the form field name be a name with a random bit on the end. (Another thought that came to mind was to do a drive-by on the local MS office.) Anyway, the reason for the zope-post is that I'm thinking of hacking the field name converting so that you can do fieldname:type:end:anything and just finish looking for the type name after it hits the 'end' tag.
This is a 3 line patch to ZPublisher/HTTPRequest.py - would it offend anyone if it was added?
Anthony
_______________________________________________ Zope maillist - Zope@zope.org http://www.zope.org/mailman/listinfo/zope
(For developer-specific issues, use the companion list, zope-dev@zope.org - http://www.zope.org/mailman/listinfo/zope-dev )