Password value visible in page source

asked 2022-07-28 22:52:20 +0800

mskala gravatar image mskala

updated 2022-07-28 23:07:06 +0800


I noticed that when you create a password field in ZK and set it's value in composer, the password value is visible, when you inspect the page source. It is possible to set the value to the password field and keep it "hidden".


    <window border="normal" title="hello" apply="pkg$.TestComposer">

      <textbox type="password" id="ttt"></textbox>


import org.zkoss.zk.ui.*;
import org.zkoss.zk.ui.event.*;
import org.zkoss.zk.ui.util.*;
import org.zkoss.zk.ui.ext.*;
import org.zkoss.zk.au.*;
import org.zkoss.zk.au.out.*;
import org.zkoss.zul.*;

public class TestComposer extends GenericForwardComposer{

    Textbox ttt;

    public void doAfterCompose(Component comp) throws Exception {


    public void onClick$btn(Event e) throws InterruptedException{
        Messagebox.show("Hi btn");

Thank you, Michal

delete flag offensive retag edit

2 Answers

Sort by ยป oldest newest most voted

answered 2022-08-08 14:17:28 +0800

hawk gravatar image hawk
3205 1 5
http://hawkphoenix.blogsp... ZK Team

updated 2022-08-09 10:07:54 +0800

It looks like you fill the password into a textbox from the server-side. Input type password is used to protect user input from being seen by someone aside. It's not used to hide the value from the server. If you want users to input a password, you don't need to set a value for a password field. What feature do you plan to implement?

Besides, if you can set a password into a textbox, that implies you store a password in plain text which is a security weakness. see CWE-256: Plaintext Storage of a Password It's not a recommended practice.

It's better to store a password in its hash value or even plus a salt. Please see https://auth0.com/blog/adding-salt-to-hashing-a-better-way-to-store-passwords/

link publish delete flag offensive edit


Actually that's not something I've asked for. I just wanted to hide the "value" attribute content from browser "inspector", so the user won't be able to see the content, so the password.

mskala ( 2022-08-09 14:43:24 +0800 )edit

answered 2022-08-09 14:49:55 +0800

mskala gravatar image mskala

I found these solutions.

One, which is quite simple, I won't send the password to the zul page, so I'll just show some "random" string, so the user already knows, there is some password already set and when the user will update it, I'll handle it in the server side code.

Another solution which I found is more to what I wanted to achieve. The browser inspector shows only static content. If the "value" is set via javascript, the value won't be available in the field value attribute. So by executing:

document.getElementById('ttt').value = 'michal'

the value won't be visible in inspector. The question is, how long this will be a solution, because browsers could update how the value is handled. But at least these days it works.

Of course, the field ID value is changed by ZK, but this can be handled quite easily. It's just an example.

link publish delete flag offensive edit


I see. I understand your use case and context better now.

hawk ( 2022-08-12 18:29:44 +0800 )edit

But if you send the password to a browser and set it by javascript. People can see the password through ajax response.

hawk ( 2022-08-12 18:31:45 +0800 )edit
Your answer
Please start posting your answer anonymously - your answer will be saved within the current session and published after you log in or create a new account. Please try to give a substantial answer, for discussions, please use comments and please do remember to vote (after you log in)!

[hide preview]

Question tools

1 follower



Asked: 2022-07-28 22:52:20 +0800

Seen: 11 times

Last updated: Aug 09 '22

Support Options
  • Email Support
  • Training
  • Consulting
  • Outsourcing
Learn More