-
FEATURED COMPONENTS
First time here? Check out the FAQ!
Hello,
I noticed that when you create a password field in ZK and set it's value in composer, the password value is visible, when you inspect the page source. It is possible to set the value to the password field and keep it "hidden".
ZUL:
<zk>
<window border="normal" title="hello" apply="pkg$.TestComposer">
<textbox type="password" id="ttt"></textbox>
</window>
</zk>
Composer:
import org.zkoss.zk.ui.*;
import org.zkoss.zk.ui.event.*;
import org.zkoss.zk.ui.util.*;
import org.zkoss.zk.ui.ext.*;
import org.zkoss.zk.au.*;
import org.zkoss.zk.au.out.*;
import org.zkoss.zul.*;
public class TestComposer extends GenericForwardComposer{
Textbox ttt;
public void doAfterCompose(Component comp) throws Exception {
super.doAfterCompose(comp);
ttt.setValue("michal");
}
public void onClick$btn(Event e) throws InterruptedException{
Messagebox.show("Hi btn");
}
}
Thank you, Michal
It looks like you fill the password into a textbox from the server-side. Input type password
is used to protect user input from being seen by someone aside. It's not used to hide the value from the server.
If you want users to input a password, you don't need to set a value for a password field. What feature do you plan to implement?
Besides, if you can set a password into a textbox, that implies you store a password in plain text which is a security weakness. see CWE-256: Plaintext Storage of a Password It's not a recommended practice.
It's better to store a password in its hash value or even plus a salt. Please see https://auth0.com/blog/adding-salt-to-hashing-a-better-way-to-store-passwords/
I found these solutions.
One, which is quite simple, I won't send the password to the zul page, so I'll just show some "random" string, so the user already knows, there is some password already set and when the user will update it, I'll handle it in the server side code.
Another solution which I found is more to what I wanted to achieve. The browser inspector shows only static content. If the "value" is set via javascript, the value won't be available in the field value attribute. So by executing:
document.getElementById('ttt').value = 'michal'
the value won't be visible in inspector. The question is, how long this will be a solution, because browsers could update how the value is handled. But at least these days it works.
Of course, the field ID value is changed by ZK, but this can be handled quite easily. It's just an example.
Asked: 2022-07-28 22:52:20 +0800
Seen: 11 times
Last updated: Aug 09 '22