Password value visible in page source

Question

asked 2022-07-28 22:52:20 +0800

updated 2022-07-28 23:07:06 +0800

Hello,

I noticed that when you create a password field in ZK and set it's value in composer, the password value is visible, when you inspect the page source. It is possible to set the value to the password field and keep it "hidden".

ZUL:

<zk>
    <window border="normal" title="hello" apply="pkg$.TestComposer">

      <textbox type="password" id="ttt"></textbox>
    </window>
</zk>

Composer:

import org.zkoss.zk.ui.*;
import org.zkoss.zk.ui.event.*;
import org.zkoss.zk.ui.util.*;
import org.zkoss.zk.ui.ext.*;
import org.zkoss.zk.au.*;
import org.zkoss.zk.au.out.*;
import org.zkoss.zul.*;

public class TestComposer extends GenericForwardComposer{

    Textbox ttt;

    public void doAfterCompose(Component comp) throws Exception {
        super.doAfterCompose(comp);

        ttt.setValue("michal");         
    }

    public void onClick$btn(Event e) throws InterruptedException{
        Messagebox.show("Hi btn");
    }
}

Thank you, Michal

Answer 1

answered 2022-08-08 14:17:28 +0800

hawk
3250 ● 1 ● 5
http://hawkphoenix.blogsp... ZK Team

updated 2022-08-09 10:07:54 +0800

It looks like you fill the password into a textbox from the server-side. Input type password is used to protect user input from being seen by someone aside. It's not used to hide the value from the server. If you want users to input a password, you don't need to set a value for a password field. What feature do you plan to implement?

Besides, if you can set a password into a textbox, that implies you store a password in plain text which is a security weakness. see CWE-256: Plaintext Storage of a Password It's not a recommended practice.

It's better to store a password in its hash value or even plus a salt. Please see https://auth0.com/blog/adding-salt-to-hashing-a-better-way-to-store-passwords/

Actually that's not something I've asked for. I just wanted to hide the "value" attribute content from browser "inspector", so the user won't be able to see the content, so the password.
mskala ( 2022-08-09 14:43:24 +0800 )edit

Answer 2

answered 2022-08-09 14:49:55 +0800

mskala
1

I found these solutions.

One, which is quite simple, I won't send the password to the zul page, so I'll just show some "random" string, so the user already knows, there is some password already set and when the user will update it, I'll handle it in the server side code.

Another solution which I found is more to what I wanted to achieve. The browser inspector shows only static content. If the "value" is set via javascript, the value won't be available in the field value attribute. So by executing:

document.getElementById('ttt').value = 'michal'

the value won't be visible in inspector. The question is, how long this will be a solution, because browsers could update how the value is handled. But at least these days it works.

Of course, the field ID value is changed by ZK, but this can be handled quite easily. It's just an example.

I see. I understand your use case and context better now.
hawk ( 2022-08-12 18:29:44 +0800 )edit
But if you send the password to a browser and set it by javascript. People can see the password through ajax response.
hawk ( 2022-08-12 18:31:45 +0800 )edit

CORE FRAMEWORK

FEATURED COMPONENTS

TOOLS

EXPLORE ZK

RESOURCES

LEARN ZK

RESOURCES

GET HELP

RESOURCES

MORE ABOUT ZK

MORE ABOUT ZK

Password value visible in page source

2 Answers

Comments

Comments

Question tools

Stats

Related questions