[#40628] - [5.0] Password Field CAPS LOCK indicator
- Closed
- 20 May 2023
- Medium
- Build: 5.0-dev
- # 40628
- Diff
- brianteeman:capslock
User tests: Successful: Unsuccessful:
Entering a password in a masked password field when you have the capslock on is a frustrating experience.
If you are using a screen reader then you are in luck as the screen reader feels your pain and announces that you have caps lock on in a password field.
If you are using safari then you are also in luck as the browser adds a visual indicator that you have caps lock on in a password field.
This PR does the same for everyone else.
This is active on all core password type fields and any 3rd party password field using the layout. (I will update the manual with the instructions to add it to your own extension not using the core layout.
Styling of the text on the front end is beyond the scope of this PR as there is already an open issue for the validation messages in cassipeia
Testing
The easiest way is to use a prebuilt package.
Otherwise apply the pr and then npm ci
Expected Behaviour
- If you are in a password field and accidentally press the caps lock key you will see a message that caps lock is on and the message is removed when caps lock is removed
- If you are in any other field and caps lock is on and click into the password field using a mouse or other pointer device the message will be displayed
- If you are in any other field and caps lock is on and tab into the password field the message will be displayed when you press the nex tinput key
Notes
This is an accessibility and usability feature
- documentation changes for manual.joomla.org needed for extension providers
joomla-cms-bot
- | Category | ⇒ | Administration com_joomlaupdate Language & Strings Modules Repository NPM Change JavaScript Installation Layout Front End Plugins |
| Status | New | ⇒ | Pending |
| Labels |
Added:
Language Change
NPM Resource Changed
PR-5.0-dev
|
||
| Category | Administration com_joomlaupdate Language & Strings Modules Repository NPM Change JavaScript Installation Layout Front End Plugins | ⇒ | Administration com_joomlaupdate Language & Strings Modules Repository NPM Change JavaScript Installation Layout Front End |
| Status | Pending | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2023-05-19 21:31:37 |
| Closed_By | ⇒ | brianteeman |
| Status | Closed | ⇒ | New |
| Closed_Date | 2023-05-19 21:31:37 | ⇒ | |
| Closed_By | brianteeman | ⇒ |
| Status | New | ⇒ | Closed |
| Status | Closed | ⇒ | Pending |
Added description and test instructions
A nice feature and usability improvement.
@bembelimen is right here. If there are several password fields on the screen, the message appears only on one place.
When I start entering credentials in the loginsite the message appears, butnot on the login module - the message appears.
I suggest the String "Caps Lock is on" (no dot).
| Status | Pending | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2023-05-20 08:40:13 |
| Closed_By | ⇒ | brianteeman |
I would accept this feature (even if I think is a security issue and would it make it globaly configureable). what does speak against doing it like apple in macos?
Not making it configurable and refuse to be responsible for anyone saying I introduced a security issue so will just use this for myself and not share it. Seems that most people do that anyway.
even if I think is a security issue
This IS NOT a security issue!!!
What IS a huge security issue is the fact that Joomla after all these years is not yet CSP Strict and has a big number of known XSS.
you opinion doesn't need to be my opinion, I only see a reduction of possible characters by 20-50%. Anyway many system do it so it's like not so bad. As long as I can disable it for my sites I have no problem with it.
I would like csp strict and I also want to get fixed all xss issues joomla.
I only see a reduction of possible characters by 20-50%.
How???
if someone looks over your shoulder while you are typing he or she can see the capslock, I know that's maybe an odd scenario (shoulder and capslock-hiding trick) but I'm uncomfortable giving any information (without asking for it, I mean the show passwort button in this case) to an attacker. I also know that many people think different, that's the reason that I would merge it but wouldn't like to use it on my sites.
you opinion doesn't need to be my opinion,
I'm not trying to dictate my opinion rather trying to set the stage correctly: A client side indicator (not sharing state with the server) could NEVER be a security concern. It's just a decorative/informative that is only available to a particular user (it's UI/UX enhancement if you want)
I only see a reduction of possible characters by 20-50%
That's not correct, the code is only indicating the state of caps lock, not preventing the use of caps lock. Also as it was coded it's completely inaccessible as the message should be on an aria-live so visually impaired users could also be informed.
I would like csp strict and I also want to get fixed all xss issues joomla.
That won't happen anytime soon, unless the project is wiling to accept the B/C breaks required
So you also ban users from using a Mac on your sites?
So you also ban users from using a Mac on your sites?
sorry that I explained my concerns for this feature to you not more not less
@dgrammatiko it is accessible for screen readers as already explained. Fyi you cannot add aria live to the dom
@HLeithner you can't say it's not secure without justifying your statement
And then I get your comment, which is completely unrelated. The one thing is a user decision and the other thing is my decision as site creator. When the user like to have a mac with this feature so be it, why should I hold him or her back? It's a complete different level.
Of course it's related as it's a default behaviour on safari
still the decision of the user to have it not mine on my sites.
Fyi you cannot add aria live to the dom
Of course you can: Wrap any text with an <output> element and enjoy (aria-live is implicit for that element)
Once again reviewers commenting on something that its not. Waste of my time