Language Change NPM Resource Changed PR-5.0-dev Pending

User tests: Successful: Unsuccessful:

avatar brianteeman
brianteeman
19 May 2023

Entering a password in a masked password field when you have the capslock on is a frustrating experience.

If you are using a screen reader then you are in luck as the screen reader feels your pain and announces that you have caps lock on in a password field.

If you are using safari then you are also in luck as the browser adds a visual indicator that you have caps lock on in a password field.

This PR does the same for everyone else.

image

This is active on all core password type fields and any 3rd party password field using the layout. (I will update the manual with the instructions to add it to your own extension not using the core layout.

Styling of the text on the front end is beyond the scope of this PR as there is already an open issue for the validation messages in cassipeia

Testing

The easiest way is to use a prebuilt package.
Otherwise apply the pr and then npm ci

Expected Behaviour

  1. If you are in a password field and accidentally press the caps lock key you will see a message that caps lock is on and the message is removed when caps lock is removed
  2. If you are in any other field and caps lock is on and click into the password field using a mouse or other pointer device the message will be displayed
  3. If you are in any other field and caps lock is on and tab into the password field the message will be displayed when you press the nex tinput key

Notes

This is an accessibility and usability feature

  • documentation changes for manual.joomla.org needed for extension providers
avatar joomla-cms-bot joomla-cms-bot - change - 19 May 2023
Category Administration com_joomlaupdate Language & Strings Modules Repository NPM Change JavaScript Installation Layout Front End Plugins
avatar brianteeman brianteeman - open - 19 May 2023
avatar brianteeman brianteeman - change - 19 May 2023
Status New Pending
avatar brianteeman brianteeman - change - 19 May 2023
Labels Added: Language Change NPM Resource Changed PR-5.0-dev
avatar joomla-cms-bot joomla-cms-bot - change - 19 May 2023
Category Administration com_joomlaupdate Language & Strings Modules Repository NPM Change JavaScript Installation Layout Front End Plugins Administration com_joomlaupdate Language & Strings Modules Repository NPM Change JavaScript Installation Layout Front End
avatar brianteeman
brianteeman - comment - 19 May 2023

Once again reviewers commenting on something that its not. Waste of my time

avatar brianteeman brianteeman - change - 19 May 2023
Status Pending Closed
Closed_Date 0000-00-00 00:00:00 2023-05-19 21:31:37
Closed_By brianteeman
avatar brianteeman brianteeman - close - 19 May 2023
avatar brianteeman brianteeman - change - 20 May 2023
Status Closed New
Closed_Date 2023-05-19 21:31:37
Closed_By brianteeman
avatar brianteeman brianteeman - change - 20 May 2023
Status New Closed
avatar brianteeman brianteeman - change - 20 May 2023
Status Closed Pending
avatar brianteeman brianteeman - reopen - 20 May 2023
avatar brianteeman brianteeman - change - 20 May 2023
The description was changed
avatar brianteeman brianteeman - edited - 20 May 2023
avatar brianteeman
brianteeman - comment - 20 May 2023

Added description and test instructions

avatar brianteeman brianteeman - change - 20 May 2023
The description was changed
avatar brianteeman brianteeman - edited - 20 May 2023
avatar chmst
chmst - comment - 20 May 2023

A nice feature and usability improvement.

grafik
@bembelimen is right here. If there are several password fields on the screen, the message appears only on one place.

grafik

When I start entering credentials in the loginsite the message appears, butnot on the login module - the message appears.
I suggest the String "Caps Lock is on" (no dot).

avatar brianteeman brianteeman - change - 20 May 2023
Status Pending Closed
Closed_Date 0000-00-00 00:00:00 2023-05-20 08:40:13
Closed_By brianteeman
avatar brianteeman brianteeman - close - 20 May 2023
avatar HLeithner
HLeithner - comment - 20 May 2023

I would accept this feature (even if I think is a security issue and would it make it globaly configureable). what does speak against doing it like apple in macos?
image

avatar brianteeman
brianteeman - comment - 20 May 2023

Not making it configurable and refuse to be responsible for anyone saying I introduced a security issue so will just use this for myself and not share it. Seems that most people do that anyway.

avatar dgrammatiko
dgrammatiko - comment - 20 May 2023

even if I think is a security issue

This IS NOT a security issue!!!

What IS a huge security issue is the fact that Joomla after all these years is not yet CSP Strict and has a big number of known XSS.

avatar HLeithner
HLeithner - comment - 20 May 2023

you opinion doesn't need to be my opinion, I only see a reduction of possible characters by 20-50%. Anyway many system do it so it's like not so bad. As long as I can disable it for my sites I have no problem with it.

I would like csp strict and I also want to get fixed all xss issues joomla.

avatar brianteeman
brianteeman - comment - 20 May 2023

I only see a reduction of possible characters by 20-50%. 

How???

avatar HLeithner
HLeithner - comment - 20 May 2023

if someone looks over your shoulder while you are typing he or she can see the capslock, I know that's maybe an odd scenario (shoulder and capslock-hiding trick) but I'm uncomfortable giving any information (without asking for it, I mean the show passwort button in this case) to an attacker. I also know that many people think different, that's the reason that I would merge it but wouldn't like to use it on my sites.

avatar dgrammatiko
dgrammatiko - comment - 20 May 2023

you opinion doesn't need to be my opinion,

I'm not trying to dictate my opinion rather trying to set the stage correctly: A client side indicator (not sharing state with the server) could NEVER be a security concern. It's just a decorative/informative that is only available to a particular user (it's UI/UX enhancement if you want)

I only see a reduction of possible characters by 20-50%

That's not correct, the code is only indicating the state of caps lock, not preventing the use of caps lock. Also as it was coded it's completely inaccessible as the message should be on an aria-live so visually impaired users could also be informed.

I would like csp strict and I also want to get fixed all xss issues joomla.

That won't happen anytime soon, unless the project is wiling to accept the B/C breaks required

avatar brianteeman
brianteeman - comment - 20 May 2023

So you also ban users from using a Mac on your sites?

avatar HLeithner
HLeithner - comment - 20 May 2023

So you also ban users from using a Mac on your sites?

sorry that I explained my concerns for this feature to you not more not less

avatar brianteeman
brianteeman - comment - 20 May 2023

@dgrammatiko it is accessible for screen readers as already explained. Fyi you cannot add aria live to the dom

@HLeithner you can't say it's not secure without justifying your statement

avatar HLeithner
HLeithner - comment - 20 May 2023

And then I get your comment, which is completely unrelated. The one thing is a user decision and the other thing is my decision as site creator. When the user like to have a mac with this feature so be it, why should I hold him or her back? It's a complete different level.

avatar brianteeman
brianteeman - comment - 20 May 2023

Of course it's related as it's a default behaviour on safari

avatar HLeithner
HLeithner - comment - 20 May 2023

still the decision of the user to have it not mine on my sites.

avatar dgrammatiko
dgrammatiko - comment - 20 May 2023

Fyi you cannot add aria live to the dom

Of course you can: Wrap any text with an <output> element and enjoy (aria-live is implicit for that element)

Add a Comment

Login with GitHub to post a comment