ZF-2547: Validator displays password for field types of 'password'

Issue Type: Bug Created: 2008-02-01T14:53:30.000+0000 Last Updated: 2008-02-11T11:16:32.000+0000 Status: Resolved Fix version(s): Reporter: Kevin Schroeder (kschroeder) Assignee: Matthew Weier O'Phinney (matthew) Tags: - Zend_Form

  • Zend_Validate

Related issues: Attachments:


Creating a form with a password field that has a validator will cause the password to be printed on the screen in an error message if the password supplied fails validation.

Form from Config [default] action=/ method=post elements.username.type = "text" elements.username.options.label = "Username" elements.username.options.validators.alnum.validator = "alnum" elements.username.options.validators.regex.validator = "regex" elements.username.options.validators.regex.options.pattern = "/^[a-z]/i" elements.username.options.validators.strlen.validator = "StringLength" elements.username.options.validators.strlen.options.min = "6" elements.username.options.validators.strlen.options.max = "20" elements.username.options.required = true elements.username.options.filters.lower.filter = "StringToLower" elements.password.type = "password" elements.password.options.label = "Password" elements.password.options.validators.strlen.validator = "StringLength" elements.password.options.validators.strlen.options.min = "6" elements.password.options.validators.strlen.options.max = "20" elements.password.options.required = true elements.submit.type="submit"

IndexController::indexAction() $formConfig = new Zend_Config_Ini('form.login.ini', 'default');

    $form = new Zend_Form($formConfig);
    if ($_SERVER['REQUEST_METHOD'] == 'POST') {
        echo $form->isValid($_POST)?'Valid':'Not Valid';
    $this->view->form = $form;

If the password is entered as "asdf" the error prints out as

'asdf' is less than 6 characters long

This can (and should) be viewed as a security risk. The password should be left blank if a validator is used for a password field.


Posted by Matthew Weier O'Phinney (matthew) on 2008-02-01T15:08:41.000+0000

Updating to include the Zend_Validate component, as this isn't specific to Zend_Form.

A number of validators include the original value passed to them when creating error messages. We should likely have a way to suppress such functionality on demand; if we did, the Password form element could set this on validators prior to running isValid().

Posted by Matthew Weier O'Phinney (matthew) on 2008-02-01T16:02:05.000+0000

One possibility is to modify Zend_Form_Element_Password::getMessages() to strip out the value:

<pre class="highlight">
// use raw value, as that is what is sent to validator
$value    = $this->getRawValue();
$messages = array();
foreach ($this->_messages as $key => $message) {
    $messages[$key] => str_replace($value, '', $message);
return $messages;

While not an ideal solution, it would likely only be used once per request. It is prone to potential error.

For now, you can very easily modify the messages by passing a 'messages' option to the validator options, with key value pairs of error codes => messages (this can be done from a config, as well).

Additionally, you can use a Zend_Translate_Adapter to translate error codes to messages; when you attach a translate adapter to a form, it will then translate the error messages accordingly.

Posted by Kevin Schroeder (kschroeder) on 2008-02-01T16:09:49.000+0000

Yeah, I've used my own code to work around that with deployable code, but now that it's being merged with what will probably be a very popular module (Building forms from a config file = brilliant) I think it would be a good idea to have a way to hide the password. I can help out with that, of course, but I think it would be prudent to have it added before 1.5 goes GA.

Posted by James Scherer (jscherer26) on 2008-02-04T16:56:38.000+0000

I would suggest substituting *'s for each character in the $value string as the default. Seeing

'****' is less then 6 characters long

seems more intuitively understandable for the user then

'' is less then 6 characters long

which suggests a programming problem in my opinion.

Posted by Matthew Weier O'Phinney (matthew) on 2008-02-11T11:16:32.000+0000

Done as of r7916.

Have you found an issue?

See the Overview section for more details.


© 2006-2017 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.