From fc8462dc8ac82f4aa27d9f3afcda7caf9a2967dc Mon Sep 17 00:00:00 2001
From: Daniel Hammer <dlehammer@users.noreply.github.com>
Date: Mon, 6 Feb 2023 22:29:28 +0100
Subject: [PATCH] "Spell-Jacking" mitigation ~ prevent sensitive data leak from
 spell checker. (#2091)

@see https://www.otto-js.com/news/article/chrome-and-edge-enhanced-spellcheck-features-expose-pii-even-your-passwords

Co-authored-by: Daniel Hammer <daniel.hammer+oss@gmail.com>
---
 ui/src/layout/Login.js    |  2 ++
 ui/src/user/UserCreate.js | 14 +++++++++++---
 ui/src/user/UserEdit.js   | 18 ++++++++++++++----
 3 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/ui/src/layout/Login.js b/ui/src/layout/Login.js
index cb8164b7c..a197b495b 100644
--- a/ui/src/layout/Login.js
+++ b/ui/src/layout/Login.js
@@ -138,6 +138,7 @@ const FormLogin = ({ loading, handleSubmit, validate }) => {
                     component={renderInput}
                     label={translate('ra.auth.username')}
                     disabled={loading}
+                    spellCheck={false}
                   />
                 </div>
                 <div className={classes.input}>
@@ -201,6 +202,7 @@ const FormSignUp = ({ loading, handleSubmit, validate }) => {
                     component={renderInput}
                     label={translate('ra.auth.username')}
                     disabled={loading}
+                    spellCheck={false}
                   />
                 </div>
                 <div className={classes.input}>
diff --git a/ui/src/user/UserCreate.js b/ui/src/user/UserCreate.js
index 8a7c32124..5d817dd01 100644
--- a/ui/src/user/UserCreate.js
+++ b/ui/src/user/UserCreate.js
@@ -51,10 +51,18 @@ const UserCreate = (props) => {
   return (
     <Create title={<Title subTitle={title} />} {...props}>
       <SimpleForm save={save} variant={'outlined'}>
-        <TextInput source="userName" validate={[required()]} />
+        <TextInput
+          spellCheck={false}
+          source="userName"
+          validate={[required()]}
+        />
         <TextInput source="name" validate={[required()]} />
-        <TextInput source="email" validate={[email()]} />
-        <PasswordInput source="password" validate={[required()]} />
+        <TextInput spellCheck={false} source="email" validate={[email()]} />
+        <PasswordInput
+          spellCheck={false}
+          source="password"
+          validate={[required()]}
+        />
         <BooleanInput source="isAdmin" defaultValue={false} />
       </SimpleForm>
     </Create>
diff --git a/ui/src/user/UserEdit.js b/ui/src/user/UserEdit.js
index 528ed365b..81883f0ce 100644
--- a/ui/src/user/UserEdit.js
+++ b/ui/src/user/UserEdit.js
@@ -108,22 +108,32 @@ const UserEdit = (props) => {
         save={save}
       >
         {permissions === 'admin' && (
-          <TextInput source="userName" validate={[required()]} />
+          <TextInput
+            spellCheck={false}
+            source="userName"
+            validate={[required()]}
+          />
         )}
         <TextInput
           source="name"
           validate={[required()]}
           {...getNameHelperText()}
         />
-        <TextInput source="email" validate={[email()]} />
+        <TextInput spellCheck={false} source="email" validate={[email()]} />
         <BooleanInput source="changePassword" />
         <FormDataConsumer>
           {(formDataProps) => (
-            <CurrentPasswordInput isMyself={isMyself} {...formDataProps} />
+            <CurrentPasswordInput
+              spellCheck={false}
+              isMyself={isMyself}
+              {...formDataProps}
+            />
           )}
         </FormDataConsumer>
         <FormDataConsumer>
-          {(formDataProps) => <NewPasswordInput {...formDataProps} />}
+          {(formDataProps) => (
+            <NewPasswordInput spellCheck={false} {...formDataProps} />
+          )}
         </FormDataConsumer>
 
         {permissions === 'admin' && (