From 66db054bae366d4a8a1af1006ab68daba95d2063 Mon Sep 17 00:00:00 2001
From: "Dominik Schilling (ocean90)" <ocean90@git.wordpress.org>
Date: Tue, 10 Nov 2015 20:40:18 +0000
Subject: [PATCH] Passwords: Disable hidden input fields on profile/user edit
 page.

Prevents an issue where password helpers would autofill the hidden password fields and inadvertently causing password changes when editing other fields on the profile page.

Props adamsilverstein.
Fixes #33699.

git-svn-id: https://develop.svn.wordpress.org/trunk@35603 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-admin/js/user-profile.js | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/src/wp-admin/js/user-profile.js b/src/wp-admin/js/user-profile.js
index e591cb588d..f98853c3df 100644
--- a/src/wp-admin/js/user-profile.js
+++ b/src/wp-admin/js/user-profile.js
@@ -195,6 +195,11 @@
 			}
 		} );
 
+		// Disable the hidden inputs to prevent autofill and submission.
+		$pass1.prop( 'disabled', true );
+		$pass2.prop( 'disabled', true );
+		$pass1Text.prop( 'disabled', true );
+
 		$passwordWrapper = $pass1Row.find( '.wp-pwd' );
 		$generateButton  = $pass1Row.find( 'button.wp-generate-pw' );
 
@@ -211,6 +216,11 @@
 			$generateButton.hide();
 			$passwordWrapper.show();
 
+			// Enable the inputs when showing.
+			$pass1.attr( 'disabled', false );
+			$pass2.attr( 'disabled', false );
+			$pass1Text.attr( 'disabled', false );
+
 			if ( $pass1Text.val().length === 0 ) {
 				generatePassword();
 			}
@@ -239,6 +249,11 @@
 			$generateButton.show();
 			$passwordWrapper.hide();
 
+			// Disable the inputs when hiding to prevent autofill and submission.
+			$pass1.prop( 'disabled', true );
+			$pass2.prop( 'disabled', true );
+			$pass1Text.prop( 'disabled', true );
+
 			resetToggle();
 
 			// Clear password field to prevent update