漏洞问题检测(上图):
解决办法:
阿里云推荐的技术参考网址
参考了一下,是因为input或form标签需要给属性,不然浏览器会直接默认记住密码,被不法分子滥用。
主要是三个,给autocomplete属性
off
It tells the browser not to save data inputted by the user for later autocompletion on similar forms, though heuristics for complying vary by browser.
It stops the browser from caching form data in the session history. When form data is cached in session history, the information filled in by the user is shown in the case where the user has submitted the form and clicked the Back button to go back to the original form page.
nope
In some cases, the browser will continue suggesting autocompletion values even if the autocomplete attribute is set to off. This unexpected behavior can be quite puzzling for developers. The trick to really enforcing non-autocompletion is to assign an invalid value to the attribute.
Since this value is not a valid one for the autocomplete attribute, the browser has no way to match it, and stops trying to autocomplete the field.
new-password
This is the behavior in Firefox (since version 38), Google Chrome (since 34), and Internet Explorer (since version 11).
If you are defining a user management page where a user can specify a new password for another person, and therefore you want to prevent autofilling of password fields, you can use autocomplete=“new-password”; however, support for this value has not been implemented on Firefox.
关于off对很多浏览器还是没有用,现在比较推荐的是nope,像new-password可能就有很多浏览器是不适配的。
我也去看了一下工商银行的,他们用的还是off,所以,用nope吧,足够了。
js代码,加在你的通用js中就可以了
对form表单设置一下就行了,不用对input标签设置,因为很多输入框不涉及安全问题,记住还是挺方便的
//去掉所有form的autocomplete, 显示指定的除外,如果有input的需求的话,改一下就行了 ,jquery实现的
$(function(){
$('form:not([autocomplete]),textarea:not([autocomplete]),select:not([autocomplete])').attr('autocomplete', 'nope');
});