Uploaded image for project: 'Struts 1'
  1. Struts 1
  2. STR-3189

Enable the Autocomplete tag by default



    • Improvement
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 1.3.10
    • None
    • Tag Libraries
    • None
    • All


      I'm a big fan of Struts 1.3.x. I currently use Struts 1.3.10, the latest release of the 1.x Struts line.

      I would like the ability to disable autocomplete in an HTML form. Sadly (from a security perspective), most every browser enables autocomplete by default. We need to explicitly attribute our form html with autocomplete="off" - in both the form and form element tags of HTML 4.01+ pages. This is a very basic security protection. Wanting to preventing the browser from caching credit card number, PII and other critical user data is a no-brainier; appsec 101.

      Now, the recent 1.3.10 release made a great stride in this direction. Finally for the first time the main Struts 1.3.x branch supports the autocomplete tag (which defensive coders need - just to disable this feature via html!). But it's still not enabled by default in Struts! I need to modify the struts tld xml file in order to enable the autocomplete form and form element attribute; which takes me off the main branch of Struts 1.3.x.

      I implore you to consider enabling autocomplete by default, so we can turn it off - without having to customize our version of struts 1.3.x! The best security is "secured by default", and this request moves us in that direction.

      Jim Manico
      OWASP, Intrinsic Security Working Group




            Unassigned Unassigned
            jmanico Jim Manico
            0 Vote for this issue
            0 Start watching this issue