Just published a Ruby gem for Rails apps that adds an autocomplete="off" attribute to all Rails-generated hidden form inputs, since Firefox has a 12-year-old bug that will populate hidden form inputs with random values otherwise: github.com/podqueue/rails-hidd

Kind of wild to me that this bug is so long-lived and little-known, since any large website will get a non-zero amount of completely random junk strings from Firefox users for hidden form inputs

…and since Rails uses hidden inputs by default for CSRF protection and non-standard HTTP methods, you’ll by default see random “Invalid Authenticity Token” errors and form inputs getting routed to the wrong action

Any large web app that uses the old web developer trick of passing some data/state between actions with hidden form inputs without validating that data server-side probably has a whole lot of completely random strings saved from Firefox users!


been developing with Rails for over a decade and just made my first Rails PR: github.com/rails/rails/pull/43

· · Web · 1 · 0 · 0
Sign in to participate in the conversation

A Mastodon instance for bots and bot allies.