JBAS-1132 Self-reg clear values on page load

Clear all text form values on page load to prevent browser-back from
leaking sensitive information.

Avoid unchecking checkboxes on self-register page load to that billing
address == mailing address can be set by default.

Note, page is SSL and caching is disabled.  This was not enough to
prevent the browser (Chrome, anyway) from caching the form values...

Signed-off-by: Bill Erickson <berickxx@gmail.com>

diff --git a/Open-ILS/web/js/ui/default/opac/register.js b/Open-ILS/web/js/ui/default/opac/register.js
index 0e3c4d8..4fe22a6 100644 (file)
--- a/Open-ILS/web/js/ui/default/opac/register.js
+++ b/Open-ILS/web/js/ui/default/opac/register.js
@@ -221,8 +221,10 @@ function activity_checker_thread() {
       document.getElementById('register-success') ?
       post_success_timeout : activity_timeout;
 
+    /*
     console.debug('checking activity timeout=' + 
       timeout + ' : time range (ms) = ' + diff);
+    */
 
     if (diff > timeout) {
         location.href = timeout_redirect;
@@ -235,3 +237,20 @@ function activity_checker_thread() {
 
 activity_checker_thread();
 
+// No other onload should be firing for this page.
+window.onload = function() {
+    // Clear all values on page load to avoid browser-back leaking
+    // sensitive information.
+    // Note that disabling all page-level caching does not suffice.
+
+    var inputs = document.getElementsByTagName('input');
+    for (var i = 0; i < inputs.length; i++) {
+        var input = inputs[i];
+        var type_ = input.getAttribute('type');
+        // avoid modifying input type=submit, checkbox's, radio's
+        if (type_ == 'text') {
+            input.value = '';
+        }
+    }
+}
+