For us this lead to password data suddenly appearing the public company field.
This is a usability problem that should not happen as it can easily lead to passwords being exposed publicly (as was the case with us).
Sure I can work around it, as soon as I know about the problem, but I really expect the form library to take care of issues like this for me. I.e. I should not have to know about this.
Sorry I don't know what you mean by this. Can you provide some sort of example.
Say I've got this form:
Now the user enters this info and comes back to this page later. Now the browser has decided to auto fill the form for him and auto fills the password form even though we didn't send that data from the server.
After now changing the form to include a company field like this:
The auto fill mechanism of the browser fills the password into the Company field which now shows it in the clear.
Apologies for the late response on this.
I'm really not sure how this could happen, as different fields in the form will always have different name elements, at least if no colander Sequence or Mapping objects are in play. The only thing I can think of is that some browser has a bug and chooses to put data in fields by remember the id element of the form. I think I'd need to see this particular bug "in situ" to know what to do about it, because it is almost certainly browser specific. I currently lack the time to try to make it reproducible, so I'm going to need to leave this open and pray that someone else finds it and can do that work, and can suggest a fix. Apologies, I'd like to do something better than that.
Note that it's often a good idea to turn off form autocomplete on login pages ala https://developer.mozilla.org/en-US/docs/Mozilla/How_to_Turn_Off_Form_Autocompletion
I was not able to reproduce this in either firefox or chrome on linux. We would probably need a specific browser report, though I believe this would be a browser bug even if confirmed.