Password fields should always be empty by default #2602

zfbot opened this Issue Sep 28, 2012 · 7 comments


None yet

5 participants


Jira Information

Original Issue: ZF2-577
Issue Type: Improvement
Reporter: Martin_P
Created: 09/20/12
Assignee: weierophinney
Components: Zend\Form


When I display a password field in a view script, the field value is remembered and thus shows up in the HTML source code. I think it is bad practice to fill in password fields when the form validation fails, because it exposes the password in plain text in the HTML source code.

For now I fixed it in my view script by changing the password field value to an empty string before calling prepare()
```$form = $this->form;
/** Remove password value for security */
$form->get( 'password' )->setValue( '' );
$form->setAttribute( 'action', $this->url() )

In my opinion the method Zend\Form\Form::prepare() which calls Zend\Form\Fieldset::prepareElement() should take care of this and remove the value if the field is a password field to prevent the exposure of passwords.


(Originally posted by: froschdesign on 09/21/12)

Look at ZF1: [{{renderPassword}}|] in {{Zend_View_Helper_FormPassword}}.


This issue was ported from the ZF2 Jira Issue Tracker at

Known GitHub users mentioned in the original message or comment:
@weierophinney, @froschdesign


I take it.

@weierophinney weierophinney added a commit that closed this issue Oct 1, 2012
@weierophinney weierophinney Merge branch 'hotfix/2613'
Close #2613
Close #2602

This isn't fixed when creating from factory with

    'name' => 'something',
    'attributes' => array(
        'type' => 'password',
    // ...

as opposed to

    'name' => 'something',
    'type' => 'Password',
    // ...

because \Zend\Form\Factory creates an instance of \Zend\Form\Element, not \Zend\Form\Element\Password. The only difference between these two, currently, is that the latter has the prepareElement method.


You should always create element using the native element. The same happens for other HTML5 elements, you can create a number element using "type" => "number" but you won't have the benefits of the validation based on min and max.

Fixing that would be ugly so I'm not sure I will do it.

@ghost Unknown pushed a commit that referenced this issue Jul 14, 2013
@weierophinney weierophinney Merge branch 'hotfix/2613'
Close #2613
Close #2602

Should there an open issue tracking the lingering point about the "password" attribute vs. the type?

  • This issue is marked as closed so a Googler might not realize that their issue (a password filed that is populating) is actually mentioned here as an open issue
  • This will never get fixed without an open issue.
  • Even if the code doesn't get fixed, an open issue might invite a PR improving documentation.
  • I ran into this mistake in the ZfcUser module so even experienced people aren't using the right structure.

Obviously, I can create an issue, but don't want to run afoul of the powers-that-be.

Zend Framework member

@claytondaley please open an issue with an example if you think there is a problem. You can simply reference this issue by linking it like #2602

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment