From d654ff6ddec48348dcf2ce056d6de2f0995e2e5e Mon Sep 17 00:00:00 2001
From: Angie Byron <webchick@24967.no-reply.drupal.org>
Date: Sat, 29 Jan 2011 10:08:45 +0000
Subject: [PATCH] #690980 by Dave Reid, grendzy, cwgordon7: Security hardening:
 Ensure password fields are empty on display.

---
 includes/form.inc      | 2 +-
 modules/user/user.test | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/includes/form.inc b/includes/form.inc
index 7f8cbc64b41e..d19c82ada665 100644
--- a/includes/form.inc
+++ b/includes/form.inc
@@ -3724,7 +3724,7 @@ function theme_textarea($variables) {
 function theme_password($variables) {
   $element = $variables['element'];
   $element['#attributes']['type'] = 'password';
-  element_set_attributes($element, array('id', 'name', 'value', 'size', 'maxlength'));
+  element_set_attributes($element, array('id', 'name', 'size', 'maxlength'));
   _form_set_class($element, array('form-text'));
 
   return '<input' . drupal_attributes($element['#attributes']) . ' />';
diff --git a/modules/user/user.test b/modules/user/user.test
index d999c85e2c98..31e19e267f4d 100644
--- a/modules/user/user.test
+++ b/modules/user/user.test
@@ -406,6 +406,7 @@ class UserLoginTestCase extends DrupalWebTestCase {
       'pass' => $account->pass_raw,
     );
     $this->drupalPost('user', $edit, t('Log in'));
+    $this->assertNoFieldByXPath("//input[@name='pass' and @value!='']", NULL, t('Password value attribute is blank.'));
     if (isset($flood_trigger)) {
       if ($flood_trigger == 'user') {
         $this->assertRaw(format_plural(variable_get('user_failed_login_user_limit', 5), 'Sorry, there has been more than one failed login attempt for this account. It is temporarily blocked. Try again later or <a href="@url">request a new password</a>.', 'Sorry, there have been more than @count failed login attempts for this account. It is temporarily blocked. Try again later or <a href="@url">request a new password</a>.', array('@url' => url('user/password'))));
-- 
GitLab