Login and Registration: Ensure a revealed password is reverted to the password input type upon form submission.

This means if a password has been toggled to visible by the user, or is visible by default, it gets reverted to the `password` type to prevent browsers from remembering it as a previously-provided value and potentially displaying it as an autofill option on non-password inputs. Props jamieburchell, sukhendu2002, vgnavada Fixes #62147 Built from https://develop.svn.wordpress.org/trunk@60306 git-svn-id: http://core.svn.wordpress.org/trunk@59642 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2025-06-13 10:37:29 +00:00
parent 6154bb41b5
commit 90d0955974
3 changed files with 12 additions and 2 deletions
--- a/wp-admin/js/user-profile.js
+++ b/wp-admin/js/user-profile.js
@@ -101,6 +101,8 @@
 			return;
 		}
 		$toggleButton = $pass1Row.find('.wp-hide-pw');
+
+		// Toggle between showing and hiding the password.
 		$toggleButton.show().on( 'click', function () {
 			if ( 'password' === $pass1.attr( 'type' ) ) {
 				$pass1.attr( 'type', 'text' );
@@ -110,6 +112,14 @@
 				resetToggle( true );
 			}
 		});
+
+		// Ensure the password input type is set to password when the form is submitted.
+		$pass1Row.closest( 'form' ).on( 'submit', function() {
+			if ( $pass1.attr( 'type' ) === 'text' ) {
+				$pass1.attr( 'type', 'password' );
+				resetToggle( true );
+			}
+		} );
 	}

 	/**
--- a/wp-admin/js/user-profile.min.js
+++ b/wp-admin/js/user-profile.min.js
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -16,7 +16,7 @@
 *
 * @global string $wp_version
 */
-$wp_version = '6.9-alpha-60305';
+$wp_version = '6.9-alpha-60306';

 /**
 * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.