Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Password inputs do not synchronize the value attribute #12722

Closed
wants to merge 1 commit into from
Closed

Password inputs do not synchronize the value attribute #12722

wants to merge 1 commit into from

Conversation

nhunzaker
Copy link
Contributor

@nhunzaker nhunzaker commented May 1, 2018
edited
Loading

On hold until 17.0.0

In order to prevent passwords from showing up in the markup React generates, this commit adds exceptions for password inputs such that defaultValue synchronization is omitted.

When rendered server-side, password inputs no longer render the value attribute markup, however the value attribute is restored upon hydration. This is probably a design decision that we should clamp down, and something we'll need to respect if we remove value attribute syncing generally.

This should fix #11896, as it pertains to password inputs.

nhunzaker
nhunzaker commented May 1, 2018
View reviewed changes
packages/react-dom/src/__tests__/ReactDOMInput-test.js
it('does not set the value attribute on password inputs', () => {
const Input = getTestInput();
const stub = ReactTestUtils.renderIntoDocument(
<Input type="password" value="1" />,
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Side note. Input here, as a React component, through me off for a bit. I wonder if we should rename this TestInput or ControlledInput.

@klamping klamping mentioned this pull request May 1, 2018
Open
nhunzaker
nhunzaker commented May 1, 2018
View reviewed changes
packages/react-dom/src/__tests__/ReactDOMServerIntegrationForms-test.js

expect(e.value).toBe('');
expect(e.hasAttribute('value')).toBe(false);
});
});
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had to split these out. Markup straight from the server never assigns the value attribute, so the related input won't have a value. It is eventually assigned during hydration, as illustrated in the itClientRenders tests.

Also, this should still respect value property modifications by a user in cases where hydration stalls and executes after a user has given input..

nhunzaker
nhunzaker commented May 1, 2018
View reviewed changes
packages/react-dom/src/client/ReactDOMFiberInput.js
if (value == null) {
node.defaultValue = '' + node._wrapperState.initialValue;
} else if (node.defaultValue !== '' + value) {
node.defaultValue = '' + value;
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is pretty blown out, but I wanted to make it painfully obvious that number inputs and passwords are unique.

@pull-bot
Copy link

pull-bot commented May 1, 2018
edited
Loading

ReactDOM: size: 0.0%, gzip: 0.0%

Details of bundled changes.

Comparing: 7dd4ca2...e190e81

react-dom

File Filesize Diff Gzip Diff Prev Size Current Size Prev Gzip Current Gzip ENV
react-dom.development.js +0.1% +0.1% 611.52 KB 611.87 KB 141.29 KB 141.37 KB UMD_DEV
react-dom.production.min.js 0.0% 0.0% 100.06 KB 100.1 KB 31.84 KB 31.86 KB UMD_PROD
react-dom.development.js +0.1% +0.1% 595.9 KB 596.25 KB 137.12 KB 137.21 KB NODE_DEV
react-dom.production.min.js 0.0% 0.0% 98.5 KB 98.54 KB 31.06 KB 31.07 KB NODE_PROD
react-dom-server.browser.development.js +0.2% +0.2% 101.34 KB 101.56 KB 26.45 KB 26.51 KB UMD_DEV
react-dom-server.browser.production.min.js 🔺+0.5% 🔺+0.6% 15.18 KB 15.25 KB 5.8 KB 5.84 KB UMD_PROD
react-dom-server.browser.development.js +0.2% +0.3% 90.64 KB 90.86 KB 24.19 KB 24.25 KB NODE_DEV
react-dom-server.browser.production.min.js 🔺+0.5% 🔺+0.5% 14.54 KB 14.61 KB 5.54 KB 5.57 KB NODE_PROD
react-dom-server.node.development.js +0.2% +0.3% 92.56 KB 92.78 KB 24.74 KB 24.8 KB NODE_DEV
react-dom-server.node.production.min.js 🔺+0.5% 🔺+0.6% 15.34 KB 15.42 KB 5.84 KB 5.87 KB NODE_PROD
ReactDOM-dev.js +0.1% +0.1% 620.33 KB 620.67 KB 139.88 KB 139.98 KB FB_WWW_DEV
ReactDOM-prod.js 0.0% 0.0% 284.19 KB 284.26 KB 51.94 KB 51.96 KB FB_WWW_PROD
ReactDOMServer-dev.js +0.3% +0.3% 94.11 KB 94.36 KB 24.03 KB 24.09 KB FB_WWW_DEV
ReactDOMServer-prod.js 🔺+1.2% 🔺+0.7% 31.6 KB 31.99 KB 7.76 KB 7.82 KB FB_WWW_PROD

Generated by 🚫 dangerJS

nhunzaker
nhunzaker commented May 1, 2018
View reviewed changes
packages/react-dom/src/server/ReactPartialRenderer.js
(propKey === 'value' || propKey === 'defaultValue')
) {
continue;
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't feel great about this, is there an earlier place I can sift out the value attribute for password inputs?

I think we need to filter out the value attribute on password inputs anyway, even if we eliminate value attribute syncing altogether. The value attribute for most input will still be sent down.

@nhunzaker nhunzaker force-pushed the nh-password-inputs-no-sync branch from 2161f6b to 9619e81 Compare May 1, 2018 00:19
@nhunzaker
Password inputs do not synchronize the value attribute
e190e81 
In order to prevent passwords from showing up in the markup React
generates, this commit adds exceptions for password inputs such that
defaultValue synchronization is omitted.

When rendered server-side, password inputs will not send markup down
from the server, however the value attribute is restored upon
hydration. This is probably a design decision that we should clamp
down.
@nhunzaker nhunzaker force-pushed the nh-password-inputs-no-sync branch from 9619e81 to e190e81 Compare May 1, 2018 00:28
@nhunzaker nhunzaker mentioned this pull request May 1, 2018
Open
@aweary
Copy link
Contributor

aweary commented May 8, 2018

Did we decide on special-casing password first? This could still be considered a breaking change, so maybe there's not a lot of value in just changing password input behavior.

Also, how does this affect renderToStaticMarkup? We might need to special case this for static markup, since you cannot hydrate it on the client.

@nhunzaker
Copy link
Contributor Author

@aweary That was what I gathered from Sebastian's comment: #11896 (comment), but I don't know if we ever gathered consensus on the timeline.

Also, how does this affect renderToStaticMarkup?

I do not know about present behavior, but my opinion is that value attributes shouldn't appear for password inputs, even when generating static markup.

Maybe we should take this to an RFC.

@facebook-github-bot
Copy link

Thank you for your pull request and welcome to our community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. In order for us to review and merge your code, please sign up at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need the corporate CLA signed.

If you have received this in error or have any questions, please contact us at [email protected]. Thanks!

@facebook-github-bot
Copy link

Thank you for signing our Contributor License Agreement. We can now accept your code for this (and any) Facebook open source project. Thanks!

@nhunzaker
Copy link
Contributor Author

Closing this out. It should be covered in #13526.

@nhunzaker nhunzaker closed this Sep 4, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
CLA Signed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Stop syncing value attribute for controlled inputs
4 participants
@nhunzaker @pull-bot @aweary @facebook-github-bot