Merge branch 'form/empty-passwords' of https://github.com/bakura10/zf2 …

…into hotfix/2613

library/Zend/Form/Element/Password.php

@@ -21,7 +21,9 @@
 
 namespace Zend\Form\Element;
 
+use Zend\Form\Form;
 use Zend\Form\Element;
+use Zend\Form\ElementPrepareAwareInterface;
 
 /**
  * @category   Zend
@@ -30,7 +32,7 @@
  * @copyright  Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com)
  * @license    http://framework.zend.com/license/new-bsd     New BSD License
  */
-class Password extends Element
+class Password extends Element implements ElementPrepareAwareInterface
 {
     /**
      * Seed attributes
@@ -40,4 +42,15 @@ class Password extends Element
     protected $attributes = array(
         'type' => 'password',
     );
+
+    /**
+     * Remove the password before rendering if the form fails in order to avoid any security issue
+     *
+     * @param  Form $form
+     * @return mixed
+     */
+    public function prepareElement(Form $form)
+    {
+        $this->setValue('');
+    }
 }

tests/ZendTest/Form/FormTest.php

@@ -22,6 +22,11 @@
 
 class FormTest extends TestCase
 {
+    /**
+     * @var Form
+     */
+    protected $form;
+
     public function setUp()
     {
         $this->form = new Form();
@@ -1099,5 +1104,26 @@ public function testSetDataIsTraversable()
         $this->assertTrue($this->form->isValid());
     }
 
+    public function testResetPasswordValueIfFormIsNotValid()
+    {
+        $this->form->add(array(
+            'type' => 'Zend\Form\Element\Password' ,
+            'name' => 'password'
+        ));
 
+        $this->form->add(array(
+            'type' => 'Zend\Form\Element\Email',
+            'name' => 'email'
+        ));
+
+        $this->form->setData(array(
+            'password' => 'azerty',
+            'email'    => 'wrongEmail'
+        ));
+
+        $this->assertFalse($this->form->isValid());
+        $this->form->prepare();
+
+        $this->assertEquals('', $this->form->get('password')->getValue());
+    }
 }