From 9b20decdc1c6e400b738e28cf4238a2a73d9a18a Mon Sep 17 00:00:00 2001
From: Daniel Hammer <daniel.hammer+oss@gmail.com>
Date: Sun, 15 Jan 2023 15:17:00 +0100
Subject: [PATCH] "Spell-Jacking" mitigation ~ prevent sensitive data leak from
 spell checker. @see
 https://www.otto-js.com/news/article/chrome-and-edge-enhanced-spellcheck-features-expose-pii-even-your-passwords

---
 src/static/templates/admin/settings.hbs | 4 ++--
 src/static/templates/admin/users.hbs    | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/static/templates/admin/settings.hbs b/src/static/templates/admin/settings.hbs
index e3874335..50cd1a75 100644
--- a/src/static/templates/admin/settings.hbs
+++ b/src/static/templates/admin/settings.hbs
@@ -47,7 +47,7 @@
                             <div class="row my-2 align-items-center pt-3 border-top" title="Send a test email to given email address">
                                 <label for="smtp-test-email" class="col-sm-3 col-form-label">Test SMTP</label>
                                 <div class="col-sm-8 input-group">
-                                    <input class="form-control" id="smtp-test-email" type="email" placeholder="Enter test email" required>
+                                    <input class="form-control" id="smtp-test-email" type="email" placeholder="Enter test email" required spellcheck="false">
                                     <button type="button" class="btn btn-outline-primary input-group-text" id="smtpTest">Send test email</button>
                                     <div class="invalid-tooltip">Please provide a valid email address</div>
                                 </div>
@@ -85,7 +85,7 @@
                                     <input readonly class="form-control" id="input_{{name}}" type="password" value="{{value}}" {{#if default}} placeholder="Default: {{default}}" {{/if}}>
                                     <button class="btn btn-outline-secondary" type="button" data-vw-pw-toggle="input_{{name}}">Show/hide</button>
                                 {{else}}
-                                    <input readonly class="form-control" id="input_{{name}}" type="{{type}}" value="{{value}}" {{#if default}} placeholder="Default: {{default}}" {{/if}}>
+                                    <input readonly class="form-control" id="input_{{name}}" type="{{type}}" value="{{value}}" {{#if default}} placeholder="Default: {{default}}" {{/if}} spellcheck="false">
                                     {{#case type "password"}}
                                     <button class="btn btn-outline-secondary" type="button" data-vw-pw-toggle="input_{{name}}">Show/hide</button>
                                     {{/case}}
diff --git a/src/static/templates/admin/users.hbs b/src/static/templates/admin/users.hbs
index 3dbee11c..933c939a 100644
--- a/src/static/templates/admin/users.hbs
+++ b/src/static/templates/admin/users.hbs
@@ -96,7 +96,7 @@
             <small>Email:</small>
 
             <form class="form-inline input-group w-50" id="inviteUserForm">
-                <input type="email" class="form-control me-2" id="inviteEmail" placeholder="Enter email" required>
+                <input type="email" class="form-control me-2" id="inviteEmail" placeholder="Enter email" required spellcheck="false">
                 <button type="submit" class="btn btn-primary">Invite</button>
             </form>
         </div>
-- 
GitLab