Set the Other Amount input in a price set to not autocomplete

[homotechsual]

Overview

I can't see a use case where autocomplete in this field is useful, but not having it explicitly set to off is becoming an issue in recent versions of Chrome which guess wildly at what the field is for. https://chat.civicrm.org/civicrm/pl/qyrpehyojffwxdm8s1fzf3pmsr.

Before

Browser guesses at autocomplete type for this field (reproduced in Chrome on Windows and Ubuntu 20.04 but could not reproduce on Mac OS (thanks @KarinG <3 )

After

Explicitly sets the field to autocomplete=off telling browsers not to try and autocomplete this field.

[civibot]

(Standard links)

• If this is your first pull-request for CiviCRM, please browse CONTRIBUTING.md for information about the development and testing processes.
• If you are reviewing this pull-request, you may wish to consult the test sites and the Review Standards (long template, short template).

[KarinG]

Not seeing this on Mac -> Chrome -> when allowing autofill (5.33.4) ->

[KarinG]

So the solution is for CiviCRM to safeguard against potential bad autofill?

[homotechsual]

So the solution is for CiviCRM to safeguard against potential bad autofill?

Yes, the solution for CiviCRM is to play it safe on form fields and set autocomplete off when there's no benefit to not having it. It's a one-line code change that prevents browsers from interfering with payment form amounts. Seems to me like it's a small change that has no downside.

[homotechsual]

This is Chrome on Windows 10:

It's actually pretty unreliable behaviour wise sometimes - testing this I've seen different behaviour in how browsers and password managers handle the field some of them are trying to autocomplete it and some combinations aren't with autocomplete=off none of them intervene.

Side note: I feel dirty :-D I installed Chrome on 3 devices to test this :-/

[eileenmcnaughton]

@colemanw @agh1 I'm inclined to merge this - but I'm pretty sure this is not the only field it applies to (my chrome browser drives me mad with it's autofill attempts)

[homotechsual]

@eileenmcnaughton happy to expand this to other forms that have similar issues - assuming we accept the logic that there are just some fields that don't benefit in any way from AutoComplete :-)

[seamuslee001]

Whilst noting the issues with Chrome's compliance with the standard I am supportive of this

[agh1]

@eileenmcnaughton I agree that this would be good to prevent autofill. I have all autofill turned off always, but I'm a bit surprised that Chrome would think that an amount field like this would make sense to autofill.

I agree that there are probably tons of other fields to do this on. However, I think it makes sense to just merge this as-is and be prepared for other PRs doing the same sort of thing elsewhere. A few reasons why:

• This code is specific to this one field.
• The logic of why Chrome autofills is so opaque that if we were to proceed systematically we'd end up making nearly anything skip autofill.
• We'd probably find that a lot of relevant spots bounce between form-specific code, field metadata, and quickform utility functions, meaning that any fix would need specific attention to the individual field and situation.
• If Chrome decides our other_amount is something to autofill, it probably does so for a lot of other inappropriate fields on other sites. I hope/assume that Chrome will get better at things like this, and at any rate, users encountering this will probably be used to it being silly all the time.

[eileenmcnaughton]

Thanks for the input @agh1 & the PR @MikeyMJCO & tetsing @KarinG (and lets not forget @seamuslee001's supportive mumuring :-))- merging

[nc3man]

Fwiw, this little patch did not make it to ESR. I was just about to update to 5.33.5 and will have to edit core directly again. How do things make it to ESR?

[eileenmcnaughton]

@nc3man - we normally backport regressions fixes and security fixes to the ESR but not general bug fixes (if we did it would quickly stop looking like an ESR and look a lot more like 'latest stable') - this looks like a general bug fix to me

[nc3man]

@eileenmcnaughton got it. And not even a "general" bug fix. Almost too specific to both Chrome and specific form fields. I'll test, for grins, before applying the edit just to see if Chrome has gotten wiser.