Problem
When a user submits incorrect login credentials, the server re-renders the login page and echoes the submitted password back into the password input field's value attribute. Although the field visually masks the input (••••••), the plaintext password remains accessible in the DOM, browser DevTools, and page source.
Reproducing the bug
- Navigate to the login page
- Enter any username and a wrong password (e.g.,
test123)
- Submit the form
- When the page reloads with the error message, open browser DevTools
- Inspect the password input field
Observed:
<input type="password" value="test123">
Expected:
<input type="password" value="">
Context
- Browser (Chrome, Safari, Firefox, etc):
- OS (Windows, Mac, etc):
- Logged in (Y/N):
- Environment (prod, dev, local): prod
Screenshot
Problem
When a user submits incorrect login credentials, the server re-renders the login page and echoes the submitted password back into the password input field's
valueattribute. Although the field visually masks the input (••••••), the plaintext password remains accessible in the DOM, browser DevTools, and page source.Reproducing the bug
test123)Observed:
Expected:
Context
Screenshot