django-DefectDojo Fix the accessibility issue in the login page: Labels or instructions not provided when content requires user input

Page / Screen Title Defect Dojo login Page URL / Screen ID https://demo.defectdojo.org Error Title Labels or instructions not provided when content requires user input Error Severity Serious Status Fail Accessibility Issue [Description of issue] The required fields such as "Username" and "Password" are mandatory in order to login. The only visual indicator that a user assume that its required, are the "*".

[Impact on users] User might not know that the fields are required.

[Pattern] On the login page, the 2 label for the input field.

[Steps to reproduce] Please see screenshot

[Sample of code] Username^*

Remediation [Recommendation] Please have the word (required) within the label of the input and put the "*" and required in red.

[Example of Compliant Code]

Mar 18 '25 19:03 oussama-taoufiq

DryRun Security Summary

CSS and HTML template updates for form fields and login page were made, with identified security considerations around multiple authentication methods and potential risks in OAuth login URL parameter handling.

Expand for full summary

Summary: CSS and HTML template modifications for form fields and login page, adjusting layout, styling, and authentication method display with minor grid and class changes.
Security Findings:

Multiple authentication methods increase potential attack surface
Passes request.GET.next parameter in OAuth login URLs (potential security risk if not properly validated)
External authentication methods depend on correct provider configuration
Multiple OAuth/SSO providers could introduce additional security complexity

Code Analysis

We ran 7 analyzers against 3 files and 1 analyzer had findings. 6 analyzers had no findings.

Analyzer	Findings
Configured Codepaths Analyzer	3 findings

Overall Riskiness

:red_circle: Risk threshold exceeded.

We've notified @mtesauro, @grendel513.

View PR in the DryRun Dashboard.

Mar 18 '25 19:03 dryrunsecurity[bot]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

Mar 18 '25 19:03 github-actions[bot]

Conflicts have been resolved. A maintainer will review the pull request shortly.

Mar 18 '25 19:03 github-actions[bot]

Conflicts have been resolved. A maintainer will review the pull request shortly.

Mar 18 '25 23:03 github-actions[bot]

Hello @oussama-taoufiq, would you please migrate this PR to use the aria-required attribute instead of the (required) text? Documentation on aria-required can be found here.

Mar 25 '25 21:03 blakeaowens

Hello @oussama-taoufiq, would you please migrate this PR to use the aria-required attribute instead of the (required) text? Documentation on aria-required can be found here.

+1,000 on using aria-required

Mar 25 '25 22:03 mtesauro

Hello @blakeaowens, @mtesauro, could you tell me where the username and password input are injected into the login page to be able to add the area-required attribute?

Apr 02 '25 15:04 oussama-taoufiq

The login for is rendered by the form_fields.html snippet. This change would be in the same place that you added the (required) label

Apr 07 '25 22:04 Maffooch

@Maffooch, Regarding the documentation you mentioned above, the aria-required attribute must be applied to the text box element and not to the label. In addition, I get an error when I try to put it on the label in the form_fields.html snippet.

Apr 08 '25 19:04 oussama-taoufiq

This pull request has conflicts, please resolve those before we can evaluate the pull request.

Oct 27 '25 19:10 github-actions[bot]