ZF2-577: Password fields should always be empty by default

Issue Type: Improvement Created: 2012-09-20T23:49:45.000+0000 Last Updated: 2012-10-08T20:16:30.000+0000 Status: Closed Fix version(s): Reporter: Martin_P (martin_p) Assignee: Matthew Weier O'Phinney (matthew) Tags: - Zend\Form

  • form
  • password
  • security

Related issues: Attachments:


When I display a password field in a view script, the field value is remembered and thus shows up in the HTML source code. I think it is bad practice to fill in password fields when the form validation fails, because it exposes the password in plain text in the HTML source code.

<pre class="highlight">
For now I fixed it in my view script by changing the password field value to an empty string before calling prepare()

$form = $this->form; /** Remove password value for security */ $form->get( 'password' )->setValue( '' ); $form->setAttribute( 'action', $this->url() ) ->prepare();```

In my opinion the method Zend\Form\Form::prepare() which calls Zend\Form\Fieldset::prepareElement() should take care of this and remove the value if the field is a password field to prevent the exposure of passwords.


Posted by Frank Br├╝ckner (frosch) on 2012-09-21T08:00:47.000+0000

Look at ZF1: renderPassword in Zend_View_Helper_FormPassword.

Posted by Ralph Schindler (ralph) on 2012-10-08T20:16:30.000+0000

This issue has been closed on Jira and moved to GitHub for issue tracking. To continue following the resolution of this issues, please visit:

Have you found an issue?

See the Overview section for more details.


© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.