Merge pull request rails#43280 from ryanfb/hidden_autocomplete_off

Add autocomplete="off" to all generated hidden fields (fixes rails#42610)

Author: rafaelfranca

actiontext/test/template/form_helper_test.rb

@@ -34,7 +34,7 @@ def form_with(*, **)
 
     assert_dom_equal \
       '<form action="/messages" accept-charset="UTF-8" method="post">' \
-        '<input type="hidden" name="content" id="trix_input_1" />' \
+        '<input type="hidden" name="content" id="trix_input_1" autocomplete="off" />' \
         '<trix-editor input="trix_input_1" class="trix-content" data-direct-upload-url="http://test.host/rails/active_storage/direct_uploads" data-blob-url-template="http://test.host/rails/active_storage/blobs/redirect/:signed_id/:filename">' \
         "</trix-editor>" \
       "</form>",
@@ -48,7 +48,7 @@ def form_with(*, **)
 
     assert_dom_equal \
       '<form action="/messages" accept-charset="UTF-8" method="post">' \
-        '<input type="hidden" name="message[content]" id="message_content_trix_input_message" />' \
+        '<input type="hidden" name="message[content]" id="message_content_trix_input_message" autocomplete="off" />' \
         '<trix-editor id="message_content" input="message_content_trix_input_message" class="trix-content" data-direct-upload-url="http://test.host/rails/active_storage/direct_uploads" data-blob-url-template="http://test.host/rails/active_storage/blobs/redirect/:signed_id/:filename">' \
         "</trix-editor>" \
       "</form>",
@@ -62,7 +62,7 @@ def form_with(*, **)
 
     assert_dom_equal \
       '<form action="/messages" accept-charset="UTF-8" method="post">' \
-        '<input type="hidden" name="message[content]" id="message_content_trix_input_message" />' \
+        '<input type="hidden" name="message[content]" id="message_content_trix_input_message" autocomplete="off" />' \
         '<trix-editor id="message_content" input="message_content_trix_input_message" class="custom-class" data-direct-upload-url="http://test.host/rails/active_storage/direct_uploads" data-blob-url-template="http://test.host/rails/active_storage/blobs/redirect/:signed_id/:filename">' \
         "</trix-editor>" \
       "</form>",
@@ -76,7 +76,7 @@ def form_with(*, **)
 
     assert_dom_equal \
       '<form action="/messages" accept-charset="UTF-8" method="post">' \
-        '<input type="hidden" name="message[not_an_attribute]" id="message_not_an_attribute_trix_input_message" />' \
+        '<input type="hidden" name="message[not_an_attribute]" id="message_not_an_attribute_trix_input_message" autocomplete="off" />' \
         '<trix-editor id="message_not_an_attribute" input="message_not_an_attribute_trix_input_message" class="trix-content" data-direct-upload-url="http://test.host/rails/active_storage/direct_uploads" data-blob-url-template="http://test.host/rails/active_storage/blobs/redirect/:signed_id/:filename">' \
         "</trix-editor>" \
       "</form>",
@@ -90,7 +90,7 @@ def form_with(*, **)
 
     assert_dom_equal \
       '<form action="/messages" accept-charset="UTF-8" method="post">' \
-        '<input type="hidden" name="message[content]" id="trix_input_2" />' \
+        '<input type="hidden" name="message[content]" id="trix_input_2" autocomplete="off" />' \
         '<trix-editor id="message_content" input="trix_input_2" class="trix-content" data-direct-upload-url="http://test.host/rails/active_storage/direct_uploads" data-blob-url-template="http://test.host/rails/active_storage/blobs/redirect/:signed_id/:filename">' \
         "</trix-editor>" \
       "</form>",
@@ -104,7 +104,7 @@ def form_with(*, **)
 
     assert_dom_equal \
       '<form action="/messages" accept-charset="UTF-8" method="post">' \
-        '<input type="hidden" name="message[content]" id="message_content_trix_input_message" />' \
+        '<input type="hidden" name="message[content]" id="message_content_trix_input_message" autocomplete="off" />' \
         '<trix-editor placeholder="Content" id="message_content" input="message_content_trix_input_message" class="trix-content" data-direct-upload-url="http://test.host/rails/active_storage/direct_uploads" data-blob-url-template="http://test.host/rails/active_storage/blobs/redirect/:signed_id/:filename">' \
         "</trix-editor>" \
       "</form>",
@@ -120,7 +120,7 @@ def form_with(*, **)
 
     assert_dom_equal \
       '<form action="/messages" accept-charset="UTF-8" method="post">' \
-        '<input type="hidden" name="message[title]" id="message_title_trix_input_message" />' \
+        '<input type="hidden" name="message[title]" id="message_title_trix_input_message" autocomplete="off" />' \
         '<trix-editor placeholder="Story title" id="message_title" input="message_title_trix_input_message" class="trix-content" data-direct-upload-url="http://test.host/rails/active_storage/direct_uploads" data-blob-url-template="http://test.host/rails/active_storage/blobs/redirect/:signed_id/:filename">' \
         "</trix-editor>" \
       "</form>",
@@ -134,7 +134,7 @@ def form_with(*, **)
 
     assert_dom_equal \
       '<form action="/messages" accept-charset="UTF-8" method="post">' \
-        '<input type="hidden" name="message[title]" id="message_title_trix_input_message" value="&lt;h1&gt;hello world&lt;/h1&gt;" />' \
+        '<input type="hidden" name="message[title]" id="message_title_trix_input_message" value="&lt;h1&gt;hello world&lt;/h1&gt;" autocomplete="off" />' \
         '<trix-editor id="message_title" input="message_title_trix_input_message" class="trix-content" data-direct-upload-url="http://test.host/rails/active_storage/direct_uploads" data-blob-url-template="http://test.host/rails/active_storage/blobs/redirect/:signed_id/:filename">' \
         "</trix-editor>" \
       "</form>",
@@ -148,7 +148,7 @@ def form_with(*, **)
 
     assert_dom_equal \
       '<form action="/messages" accept-charset="UTF-8" method="post">' \
-        '<input type="hidden" name="message[title]" id="message_title_trix_input_message" form="other_form" />' \
+        '<input type="hidden" name="message[title]" id="message_title_trix_input_message" form="other_form" autocomplete="off" />' \
         '<trix-editor id="message_title" input="message_title_trix_input_message" class="trix-content" data-direct-upload-url="http://test.host/rails/active_storage/direct_uploads" data-blob-url-template="http://test.host/rails/active_storage/blobs/redirect/:signed_id/:filename">' \
         "</trix-editor>" \
       "</form>",
@@ -162,7 +162,7 @@ def form_with(*, **)
 
     assert_dom_equal \
       '<form action="/messages" accept-charset="UTF-8" method="post">' \
-        '<input type="hidden" name="message[content]" id="message_content_trix_input_message" />' \
+        '<input type="hidden" name="message[content]" id="message_content_trix_input_message" autocomplete="off" />' \
         '<trix-editor id="message_content" input="message_content_trix_input_message" class="trix-content" data-direct-upload-url="http://test.host/direct_uploads" data-blob-url-template="http://test.host/rails/active_storage/blobs/redirect/:signed_id/:filename">' \
         "</trix-editor>" \
       "</form>",
@@ -176,7 +176,7 @@ def form_with(*, **)
 
     assert_dom_equal \
       '<form action="/messages" accept-charset="UTF-8" method="post">' \
-        '<input type="hidden" name="message[content]" id="message_content_trix_input_message" />' \
+        '<input type="hidden" name="message[content]" id="message_content_trix_input_message" autocomplete="off" />' \
         '<trix-editor id="message_content" input="message_content_trix_input_message" class="trix-content" data-direct-upload-url="http://test.host/rails/active_storage/direct_uploads" data-blob-url-template="http://test.host/blobs/:signed_id/:filename">' \
         "</trix-editor>" \
       "</form>",

actionview/lib/action_view/helpers/date_helper.rb

@@ -1101,7 +1101,8 @@ def build_hidden(type, value)
             type: "hidden",
             id: input_id_from_type(type),
             name: input_name_from_type(type),
-            value: value
+            value: value,
+            autocomplete: "off"
           }.merge!(@html_options.slice(:disabled))
           select_options[:disabled] = "disabled" if @options[:disabled]
 

actionview/lib/action_view/helpers/form_tag_helper.rb

@@ -277,7 +277,7 @@ def label_tag(name = nil, content_or_options = nil, options = nil, &block)
       #   # => <input id="collected_input" name="collected_input" onchange="alert('Input collected!')"
       #   #    type="hidden" value="" />
       def hidden_field_tag(name, value = nil, options = {})
-        text_field_tag(name, value, options.merge(type: :hidden))
+        text_field_tag(name, value, options.merge(type: :hidden, autocomplete: "off"))
       end
 
       # Creates a file upload field. If you are using file uploads then you will also need
@@ -866,7 +866,7 @@ def utf8_enforcer_tag
         # Use raw HTML to ensure the value is written as an HTML entity; it
         # needs to be the right character regardless of which encoding the
         # browser infers.
-        '<input name="utf8" type="hidden" value="&#x2713;" />'.html_safe
+        '<input name="utf8" type="hidden" value="&#x2713;" autocomplete="off" />'.html_safe
       end
 
       private

actionview/lib/action_view/helpers/tags/base.rb

@@ -141,7 +141,7 @@ def select_content_tag(option_tags, options, html_options)
             select = content_tag("select", add_options(option_tags, options, value), html_options)
 
             if html_options["multiple"] && options.fetch(:include_hidden, true)
-              tag("input", disabled: html_options["disabled"], name: html_options["name"], type: "hidden", value: "") + select
+              tag("input", disabled: html_options["disabled"], name: html_options["name"], type: "hidden", value: "", autocomplete: "off") + select
             else
               select
             end

actionview/lib/action_view/helpers/tags/check_box.rb

@@ -57,7 +57,7 @@ def checked?(value)
           end
 
           def hidden_field_for_checkbox(options)
-            @unchecked_value ? tag("input", options.slice("name", "disabled", "form").merge!("type" => "hidden", "value" => @unchecked_value)) : "".html_safe
+            @unchecked_value ? tag("input", options.slice("name", "disabled", "form").merge!("type" => "hidden", "value" => @unchecked_value, "autocomplete" => "off")) : "".html_safe
           end
       end
     end

actionview/lib/action_view/helpers/tags/hidden_field.rb

@@ -4,6 +4,10 @@ module ActionView
   module Helpers
     module Tags # :nodoc:
       class HiddenField < TextField # :nodoc:
+        def render
+          @options[:autocomplete] = "off"
+          super
+        end
       end
     end
   end

actionview/lib/action_view/helpers/url_helper.rb

@@ -362,7 +362,8 @@ def button_to(name = nil, options = nil, html_options = nil, &block)
         inner_tags = method_tag.safe_concat(button).safe_concat(request_token_tag)
         if params
           to_form_params(params).each do |param|
-            inner_tags.safe_concat tag(:input, type: "hidden", name: param[:name], value: param[:value])
+            inner_tags.safe_concat tag(:input, type: "hidden", name: param[:name], value: param[:value],
+                                       autocomplete: "off")
           end
         end
         content_tag("form", inner_tags, form_options)
@@ -768,14 +769,14 @@ def method_not_get_method?(method)
         def token_tag(token = nil, form_options: {})
           if token != false && defined?(protect_against_forgery?) && protect_against_forgery?
             token ||= form_authenticity_token(form_options: form_options)
-            tag(:input, type: "hidden", name: request_forgery_protection_token.to_s, value: token)
+            tag(:input, type: "hidden", name: request_forgery_protection_token.to_s, value: token, autocomplete: "off")
           else
             ""
           end
         end
 
         def method_tag(method)
-          tag("input", type: "hidden", name: "_method", value: method.to_s)
+          tag("input", type: "hidden", name: "_method", value: method.to_s, autocomplete: "off")
         end
 
         # Returns an array of hashes each containing :name and :value keys

actionview/test/activerecord/form_helper_activerecord_test.rb

@@ -51,18 +51,18 @@ def test_nested_fields_for_with_child_index_option_override_on_a_nested_attribut
 
     expected = whole_form("/developers/123", "edit_developer_123", "edit_developer", method: "patch") do
       '<input id="developer_projects_attributes_abc_name" name="developer[projects_attributes][abc][name]" type="text" value="project #321" />' \
-          '<input id="developer_projects_attributes_abc_id" name="developer[projects_attributes][abc][id]" type="hidden" value="321" />'
+          '<input id="developer_projects_attributes_abc_id" name="developer[projects_attributes][abc][id]" type="hidden" value="321" autocomplete="off" />'
     end
 
     assert_dom_equal expected, output_buffer
   end
 
   private
     def hidden_fields(method = nil)
-      txt = +%{<input name="utf8" type="hidden" value="&#x2713;" />}
+      txt = +%{<input name="utf8" type="hidden" value="&#x2713;" autocomplete="off" />}
 
       if method && !%w(get post).include?(method.to_s)
-        txt << %{<input name="_method" type="hidden" value="#{method}" />}
+        txt << %{<input name="_method" type="hidden" value="#{method}" autocomplete="off" />}
       end
 
       txt