search

whatwg / html

HTML Standard
https://html.spec.whatwg.org/multipage/
Other
8.01k stars 2.62k forks source link

text input empty string storage #959

Open TheTesla opened 8 years ago

TheTesla commented 8 years ago

Please read the argumentation from Ms2ger (2016-03-14 03:35:16 PDT) on:

https://bugzilla.mozilla.org/show_bug.cgi?id=1255995

Nearly all browsers, except firefox allow the change of the input type text to an empty string and store the empty string during type change. The standard does not allow storing empty strings on type change. (Only firefox is implemented to be standard conform.)

The standard does not allow the user to change the input value to empty persistently.

This leads to unintended restore of data deleted by the user and may be a privacy or security issue. If the user deletes the content of an input box and the type of the input is changed to e.g. hidden after further interaction with the form, so the value of this hidden input is not empty. It is the value, which the user wanted to delete. Submitting the data will send theses data unintentionally to the server.

So browsers should not be implemented like that way described in the standard.

annevk commented 8 years ago

That example there does not illustrate a privacy or security issue and might instead illustrate a confusion between value and defaultValue. However, given the differences between browsers perhaps we should not special case the empty string value.

Which browsers did you test?

TheTesla commented 8 years ago

This is my test implementation: https://srns.smartrns.net/input_bug.html I tested it on: firefox, chrome, opera and internet explorer

Only firefox restores the value.

What should be the right behavior of my test implementation? if I delete all the text in the input and then toggle between hidden and text type?

annevk commented 8 years ago

The problem is that you assume the value in the value attribute is user input. Whereas it's just the value of the value attribute. And .value doesn't manipulate the value attribute, .defaultValue does. Having said all that, if all those browsers apart from Firefox agree I agree we should change the standard.

annevk commented 8 years ago

@smaug---- this would mainly affect Gecko it seems. All other browsers already agree that the empty string is not a special value. Do you see any reason not to change the specification here?

annevk commented 8 years ago

@TheTesla if we fix this, would you like to be acknowledged as "Stefan Helmert" or "TheTesla"?

TheTesla commented 8 years ago

You can write "Stefan Helmert"