[#ZF-2860] (re)render the submitted password - Zend Framework Issue Tracker

Zend Framework

(re)render the submitted password

Created: 11/Mar/08 09:48 AM Updated: 05/May/08 11:44 AM

Component/s:

Zend_View, Zend_Form

Affects Version/s:

1.5.0RC1

Fix Version/s:

1.5.2

Time Tracking:

Original Estimate:

30 minutes

Remaining Estimate:

30 minutes

Time Spent:

Not Specified

Public Fields

Internal Project Management Fields

Resolution Date:

02/May/08 12:18 PM

Fix Version Priority:

Should Have

Description

« Hide

while this might be usefull for security reasons I prefere user friendly websites.
my patch will not render the password by default, just add a setRenderPassword() method to Zend_Form_Element_Password

patch:

Index: Form/Element/Password.php
===================================================================
--- Form/Element/Password.php	(revision 8741)
+++ Form/Element/Password.php	(working copy)
@@ -40,7 +40,31 @@
      */
     public $helper = 'formPassword';
 
+    public $options = array();
+
     /**
+     * should the entered password be rerendered when form is rerendered due to error (or success)
+     *
+     * @param bool $flag
+     * @return Zend_Form_Element_Password $this
+     */
+    public function setRenderPassword($flag) {
+        // small hack. we can access attribs in Zend_View_Helper_FormPassword
+        $this->options['renderPassword'] = (bool) $flag;
+        return $this;
+    }
+    
+    /**
+     * returns whether passord will be rerendered when form is rerendered due to error (or success)
+     *
+     * @return bool
+     */
+    public function getRenderPassword() {
+        // this way unset and false will return false
+        return !empty($this->options['renderPassword']);
+    }
+
+    /**
      * Override isValid()
      *
      * Ensure that validation error messages mask password value.
Index: View/Helper/FormPassword.php
===================================================================
--- View/Helper/FormPassword.php	(revision 8741)
+++ View/Helper/FormPassword.php	(working copy)
@@ -52,9 +52,9 @@
      *
      * @return string The element XHTML.
      */
-    public function formPassword($name, $value = null, $attribs = null)
+    public function formPassword($name, $value = null, $attribs = null, $options = null)
     {
-        $info = $this->_getInfo($name, $value, $attribs);
+        $info = $this->_getInfo($name, $value, $attribs, $options);
         extract($info); // name, value, attribs, options, listsep, disable
 
         // build the element
@@ -69,11 +69,17 @@
         if (($this->view instanceof Zend_View_Abstract) && !$this->view->doctype()->isXhtml()) {
             $endTag= '>';
         }
+        
+        // for security reasons don't render value of password by default!
+        // empty returns true when renderPassword is false or not set
+        if(empty($options['renderPassword'])) {
+            $value = '';
+        }
 
         $xhtml = '<input type="password"'
                 . ' name="' . $this->view->escape($name) . '"'
                 . ' id="' . $this->view->escape($id) . '"'
-                . ' value=""'                             // don't render value of password!
+                . ' value="' . $this->view->escape($value) . '"'
                 . $disabled
                 . $this->_htmlAttribs($attribs)
                 . $endTag;

both ways are working:

new Zend_Form_Element_Password('password', array('renderPassword' => true));

$password = new Zend_Form_Element_Password('password');
$password ->setRenderPassword(true);

Description

Why I want this? here is an example: registration form: username, password. validator fails: username is already in use form renders again with the username's errormessage and password input is gone. the user has to type it in again (twice for confirmation) while this might be usefull for security reasons I prefere user friendly websites. my patch will not render the password by default, just add a setRenderPassword() method to Zend_Form_Element_Password patch:

Index: Form/Element/Password.php
===================================================================
--- Form/Element/Password.php	(revision 8741)
+++ Form/Element/Password.php	(working copy)
@@ -40,7 +40,31 @@
      */
     public $helper = 'formPassword';
 
+    public $options = array();
+
     /**
+     * should the entered password be rerendered when form is rerendered due to error (or success)
+     *
+     * @param bool $flag
+     * @return Zend_Form_Element_Password $this
+     */
+    public function setRenderPassword($flag) {
+        // small hack. we can access attribs in Zend_View_Helper_FormPassword
+        $this->options['renderPassword'] = (bool) $flag;
+        return $this;
+    }
+    
+    /**
+     * returns whether passord will be rerendered when form is rerendered due to error (or success)
+     *
+     * @return bool
+     */
+    public function getRenderPassword() {
+        // this way unset and false will return false
+        return !empty($this->options['renderPassword']);
+    }
+
+    /**
      * Override isValid()
      *
      * Ensure that validation error messages mask password value.
Index: View/Helper/FormPassword.php
===================================================================
--- View/Helper/FormPassword.php	(revision 8741)
+++ View/Helper/FormPassword.php	(working copy)
@@ -52,9 +52,9 @@
      *
      * @return string The element XHTML.
      */
-    public function formPassword($name, $value = null, $attribs = null)
+    public function formPassword($name, $value = null, $attribs = null, $options = null)
     {
-        $info = $this->_getInfo($name, $value, $attribs);
+        $info = $this->_getInfo($name, $value, $attribs, $options);
         extract($info); // name, value, attribs, options, listsep, disable
 
         // build the element
@@ -69,11 +69,17 @@
         if (($this->view instanceof Zend_View_Abstract) && !$this->view->doctype()->isXhtml()) {
             $endTag= '>';
         }
+        
+        // for security reasons don't render value of password by default!
+        // empty returns true when renderPassword is false or not set
+        if(empty($options['renderPassword'])) {
+            $value = '';
+        }
 
         $xhtml = '<input type="password"'
                 . ' name="' . $this->view->escape($name) . '"'
                 . ' id="' . $this->view->escape($id) . '"'
-                . ' value=""'                             // don't render value of password!
+                . ' value="' . $this->view->escape($value) . '"'
                 . $disabled
                 . $this->_htmlAttribs($attribs)
                 . $endTag;

both ways are working:

new Zend_Form_Element_Password('password', array('renderPassword' => true));

$password = new Zend_Form_Element_Password('password');
$password ->setRenderPassword(true);

Show »

All

Comments

Work Log

Change History

FishEye

Crucible

Sort Order:

Ascending order - Click to sort in descending order

[ Permlink | « Hide ]

Wil Sinclair - 25/Mar/08 08:29 PM

Please categorize/fix as needed.

[ Permlink | « Hide ]

Matthew Weier O'Phinney - 22/Apr/08 11:19 AM

Scheduling for next mini release.

[ Permlink | « Hide ]

Matthew Weier O'Phinney - 02/May/08 12:18 PM

Resolved in trunk and 1.5 release branch. You may now pass a 'renderPassword' attribute to formPassword() (or set it in your Zend_Form_Element_Password object), and the password will be re-rendered in the form.