Password fields should always be empty by default #2602

Closed
zfbot opened this Issue Sep 28, 2012 · 7 comments

Projects

None yet

5 participants

@zfbot

Jira Information

Original Issue: ZF2-577
Issue Type: Improvement
Reporter: Martin_P
Created: 09/20/12
Assignee: weierophinney
Components: Zend\Form

Description

When I display a password field in a view script, the field value is remembered and thus shows up in the HTML source code. I think it is bad practice to fill in password fields when the form validation fails, because it exposes the password in plain text in the HTML source code.

For now I fixed it in my view script by changing the password field value to an empty string before calling prepare()
```$form = $this->form;
/** Remove password value for security */
$form->get( 'password' )->setValue( '' );
$form->setAttribute( 'action', $this->url() )
     ->prepare();```

In my opinion the method Zend\Form\Form::prepare() which calls Zend\Form\Fieldset::prepareElement() should take care of this and remove the value if the field is a password field to prevent the exposure of passwords.

@zfbot

(Originally posted by: froschdesign on 09/21/12)

Look at ZF1: [{{renderPassword}}|http://framework.zend.com/code/filedetails.php?repname=Zend+Framework&path=%2Ftags%2Frelease-1.12.0%2Flibrary%2FZend%2FView%2FHelper%2FFormPassword.php] in {{Zend_View_Helper_FormPassword}}.

@zfbot

This issue was ported from the ZF2 Jira Issue Tracker at
http://framework.zend.com/issues/browse/ZF2-577

Known GitHub users mentioned in the original message or comment:
@weierophinney, @froschdesign

@bakura10

I take it.

@weierophinney weierophinney added a commit that closed this issue Oct 1, 2012
@weierophinney weierophinney Merge branch 'hotfix/2613'
Close #2613
Close #2602
90cfc28
@ghost

This isn't fixed when creating from factory with

array(
    'name' => 'something',
    'attributes' => array(
        'type' => 'password',
    ),
    // ...
)

as opposed to

array(
    'name' => 'something',
    'type' => 'Password',
    // ...
)

because \Zend\Form\Factory creates an instance of \Zend\Form\Element, not \Zend\Form\Element\Password. The only difference between these two, currently, is that the latter has the prepareElement method.

@bakura10

You should always create element using the native element. The same happens for other HTML5 elements, you can create a number element using "type" => "number" but you won't have the benefits of the validation based on min and max.

Fixing that would be ugly so I'm not sure I will do it.

@ghost Unknown pushed a commit that referenced this issue Jul 14, 2013
@weierophinney weierophinney Merge branch 'hotfix/2613'
Close #2613
Close #2602
a7c4ce1
@claytondaley

Should there an open issue tracking the lingering point about the "password" attribute vs. the type?

  • This issue is marked as closed so a Googler might not realize that their issue (a password filed that is populating) is actually mentioned here as an open issue
  • This will never get fixed without an open issue.
  • Even if the code doesn't get fixed, an open issue might invite a PR improving documentation.
  • I ran into this mistake in the ZfcUser module so even experienced people aren't using the right structure.

Obviously, I can create an issue, but don't want to run afoul of the powers-that-be.

@Ocramius
Zend Framework member

@claytondaley please open an issue with an example if you think there is a problem. You can simply reference this issue by linking it like #2602

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment