Issue Type: Improvement Created: 2012-09-20T23:49:45.000+0000 Last Updated: 2012-10-08T20:16:30.000+0000 Status: Closed Fix version(s): Reporter: Martin_P (martin_p) Assignee: Matthew Weier O'Phinney (matthew) Tags: - Zend\Form
Related issues: Attachments:
When I display a password field in a view script, the field value is remembered and thus shows up in the HTML source code. I think it is bad practice to fill in password fields when the form validation fails, because it exposes the password in plain text in the HTML source code.
<pre class="highlight"> For now I fixed it in my view script by changing the password field value to an empty string before calling prepare()
$form = $this->form; /** Remove password value for security */ $form->get( 'password' )->setValue( '' ); $form->setAttribute( 'action', $this->url() ) ->prepare();```
In my opinion the method Zend\Form\Form::prepare() which calls Zend\Form\Fieldset::prepareElement() should take care of this and remove the value if the field is a password field to prevent the exposure of passwords.
Posted by Frank Brückner (frosch) on 2012-09-21T08:00:47.000+0000
Look at ZF1: renderPassword in Zend_View_Helper_FormPassword.
Posted by Ralph Schindler (ralph) on 2012-10-08T20:16:30.000+0000
This issue has been closed on Jira and moved to GitHub for issue tracking. To continue following the resolution of this issues, please visit: https://github.com/zendframework/zf2/issues/2602
Have you found an issue?
See the Overview section for more details.