ZF2-577: Password fields should always be empty by default

Description

When I display a password field in a view script, the field value is remembered and thus shows up in the HTML source code. I think it is bad practice to fill in password fields when the form validation fails, because it exposes the password in plain text in the HTML source code.


For now I fixed it in my view script by changing the password field value to an empty string before calling prepare()

$form = $this->form; /** Remove password value for security */ $form->get( 'password' )->setValue( '' ); $form->setAttribute( 'action', $this->url() ) ->prepare();```

In my opinion the method Zend\Form\Form::prepare() which calls Zend\Form\Fieldset::prepareElement() should take care of this and remove the value if the field is a password field to prevent the exposure of passwords.

Comments

Look at ZF1: {{renderPassword}} in {{Zend_View_Helper_FormPassword}}.

This issue has been closed on Jira and moved to GitHub for issue tracking. To continue following the resolution of this issues, please visit: https://github.com/zendframework/zf2/issues/2602