Open TheTesla opened 8 years ago
That example there does not illustrate a privacy or security issue and might instead illustrate a confusion between value
and defaultValue
. However, given the differences between browsers perhaps we should not special case the empty string value.
Which browsers did you test?
This is my test implementation: https://srns.smartrns.net/input_bug.html I tested it on: firefox, chrome, opera and internet explorer
Only firefox restores the value.
What should be the right behavior of my test implementation? if I delete all the text in the input and then toggle between hidden and text type?
The problem is that you assume the value in the value attribute is user input. Whereas it's just the value of the value attribute. And .value
doesn't manipulate the value attribute, .defaultValue
does. Having said all that, if all those browsers apart from Firefox agree I agree we should change the standard.
@smaug---- this would mainly affect Gecko it seems. All other browsers already agree that the empty string is not a special value. Do you see any reason not to change the specification here?
@TheTesla if we fix this, would you like to be acknowledged as "Stefan Helmert" or "TheTesla"?
You can write "Stefan Helmert"
Please read the argumentation from Ms2ger (2016-03-14 03:35:16 PDT) on:
https://bugzilla.mozilla.org/show_bug.cgi?id=1255995
Nearly all browsers, except firefox allow the change of the input type text to an empty string and store the empty string during type change. The standard does not allow storing empty strings on type change. (Only firefox is implemented to be standard conform.)
The standard does not allow the user to change the input value to empty persistently.
This leads to unintended restore of data deleted by the user and may be a privacy or security issue. If the user deletes the content of an input box and the type of the input is changed to e.g. hidden after further interaction with the form, so the value of this hidden input is not empty. It is the value, which the user wanted to delete. Submitting the data will send theses data unintentionally to the server.
So browsers should not be implemented like that way described in the standard.