From 2976b2ae8f0e4e5effdbf75f77333ff7c4774c46 Mon Sep 17 00:00:00 2001 From: Bill Erickson Date: Thu, 17 Mar 2016 11:21:45 -0400 Subject: [PATCH] JBAS-1132 Self-reg clear values on page load Clear all text form values on page load to prevent browser-back from leaking sensitive information. Avoid unchecking checkboxes on self-register page load to that billing address == mailing address can be set by default. Note, page is SSL and caching is disabled. This was not enough to prevent the browser (Chrome, anyway) from caching the form values... Signed-off-by: Bill Erickson --- Open-ILS/web/js/ui/default/opac/register.js | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/Open-ILS/web/js/ui/default/opac/register.js b/Open-ILS/web/js/ui/default/opac/register.js index 0e3c4d8cfe..4fe22a6ea0 100644 --- a/Open-ILS/web/js/ui/default/opac/register.js +++ b/Open-ILS/web/js/ui/default/opac/register.js @@ -221,8 +221,10 @@ function activity_checker_thread() { document.getElementById('register-success') ? post_success_timeout : activity_timeout; + /* console.debug('checking activity timeout=' + timeout + ' : time range (ms) = ' + diff); + */ if (diff > timeout) { location.href = timeout_redirect; @@ -235,3 +237,20 @@ function activity_checker_thread() { activity_checker_thread(); +// No other onload should be firing for this page. +window.onload = function() { + // Clear all values on page load to avoid browser-back leaking + // sensitive information. + // Note that disabling all page-level caching does not suffice. + + var inputs = document.getElementsByTagName('input'); + for (var i = 0; i < inputs.length; i++) { + var input = inputs[i]; + var type_ = input.getAttribute('type'); + // avoid modifying input type=submit, checkbox's, radio's + if (type_ == 'text') { + input.value = ''; + } + } +} + -- 2.11.0