Skip to content

enhancement(settings): hide Subscription Token value on settings page#4324

Open
faisalahammad wants to merge 1 commit into
10up:developfrom
faisalahammad:fix/4305-hide-subscription-token
Open

enhancement(settings): hide Subscription Token value on settings page#4324
faisalahammad wants to merge 1 commit into
10up:developfrom
faisalahammad:fix/4305-hide-subscription-token

Conversation

@faisalahammad

@faisalahammad faisalahammad commented Jun 19, 2026

Copy link
Copy Markdown

Summary

The Subscription Token for ElasticPress.io users was displayed in plain text on the Settings page. This change hides the value by using a password field, and it preserves the existing token when the form is submitted without a new value.

Fixes #4305

Changes

includes/partials/settings-page.php

Before:

<input type="text" value="<?php echo esc_attr( $credentials['token'] ); ?>" name="ep_credentials[token]" id="ep_token">

After:

<input type="password" value="" autocomplete="new-password" placeholder="<?php echo esc_attr( $credentials['token'] ? '••••••••' : '' ); ?>" name="ep_credentials[token]" id="ep_token">

Why: Type password alone was not enough because the browser could still expose the value via DevTools. Leaving the value empty and using a placeholder means the token is never sent back to the browser.

includes/classes/Screen/Settings.php

Before:

if ( isset( $post['ep_credentials'] ) ) {
    $credentials = Utils\sanitize_credentials( $post['ep_credentials'] );
    Utils\update_option( 'ep_credentials', $credentials );
}

After:

if ( isset( $post['ep_credentials'] ) ) {
    $credentials = Utils\sanitize_credentials( $post['ep_credentials'] );

    if ( empty( $credentials['token'] ) ) {
        $prev_credentials     = Utils\get_epio_credentials();
        $credentials['token'] = $prev_credentials['token'];
    }

    Utils\update_option( 'ep_credentials', $credentials );
}

Why: Since the token input is always empty on page load, an empty POST value means the user did not change it. This prevents overwriting the stored token with an empty value on every save.

Testing

Test 1: Token is not exposed in the page

  1. Load ElasticPress > Settings with an existing token.
  2. Inspect the token input element.
  3. Confirm value="" and that the actual token is not in the DOM.

Result: Token not exposed in page source.

Test 2: Save without changing the token

  1. Load the Settings page.
  2. Click Save Changes without entering anything in the token field.
  3. Verify the token still works.

Result: Existing token is preserved.

Test 3: Update the token

  1. Enter a new value in the token field.
  2. Save Changes.
  3. Verify the new token is stored.

Result: New token is saved correctly.

Screenshots

Before:
image

After:
image

- Change token input from type=text to type=password
- Remove token value from HTML, use masked placeholder instead
- Preserve existing token in DB when field submitted empty
- Update description text to reflect new behavior

Fixes 10up#4305
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Hide Subscription Token value

1 participant