ZF2-577: Password fields should always be empty by default
When I display a password field in a view script, the field value is remembered and thus shows up in the HTML source code. I think it is bad practice to fill in password fields when the form validation fails, because it exposes the password in plain text in the HTML source code.
For now I fixed it in my view script by changing the password field value to an empty string before calling prepare()
$form = $this->form; /** Remove password value for security */ $form->get( 'password' )->setValue( '' ); $form->setAttribute( 'action', $this->url() ) ->prepare();```
In my opinion the method Zend\Form\Form::prepare() which calls Zend\Form\Fieldset::prepareElement() should take care of this and remove the value if the field is a password field to prevent the exposure of passwords.