Passwords: Disable hidden input fields on profile/user edit page.

Prevents an issue where password helpers would autofill the hidden password fields and inadvertently causing password changes when editing other fields on the profile page.

Props adamsilverstein.
Fixes #33699.
Built from https://develop.svn.wordpress.org/trunk@35603


git-svn-id: http://core.svn.wordpress.org/trunk@35567 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-admin/js/user-profile.js

@@ -195,6 +195,11 @@
 			}
 		} );
 
+		// Disable the hidden inputs to prevent autofill and submission.
+		$pass1.prop( 'disabled', true );
+		$pass2.prop( 'disabled', true );
+		$pass1Text.prop( 'disabled', true );
+
 		$passwordWrapper = $pass1Row.find( '.wp-pwd' );
 		$generateButton  = $pass1Row.find( 'button.wp-generate-pw' );
 
@@ -211,6 +216,11 @@
 			$generateButton.hide();
 			$passwordWrapper.show();
 
+			// Enable the inputs when showing.
+			$pass1.attr( 'disabled', false );
+			$pass2.attr( 'disabled', false );
+			$pass1Text.attr( 'disabled', false );
+
 			if ( $pass1Text.val().length === 0 ) {
 				generatePassword();
 			}
@@ -239,6 +249,11 @@
 			$generateButton.show();
 			$passwordWrapper.hide();
 
+			// Disable the inputs when hiding to prevent autofill and submission.
+			$pass1.prop( 'disabled', true );
+			$pass2.prop( 'disabled', true );
+			$pass1Text.prop( 'disabled', true );
+
 			resetToggle();
 
 			// Clear password field to prevent update

wp-includes/version.php

@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '4.4-beta3-35602';
+$wp_version = '4.4-beta3-35603';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.