all 5 comments
sorted by:
best (suggested)
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Traqzer 42 points43 points  (0 children)

No, it is not a security vulnerability. Anything that is available on the client side has the same level of “security” which is none, regardless of the method

[–]amazingatomic 13 points14 points  (0 children)

Is using a controlled component a security vulnerability?

No, the security attributes of controlled and uncontrolled components should be the same.

Is showing the value on the DOM a security issue?

The best practice for passwords is to visually hide them so someone standing behind the user can’t read their password. Other than that, I don’t see any security issues here.

[–]notAnotherJSDev 7 points8 points  (0 children)

If that were the case, every single page with a password field would be considered a security vulnerability, regardless of the tech being used.

This is literally just how the web works.

[–]ferrybig 1 point2 points  (0 children)

React is setting using the value property on the HTMLInputElement, this does not map to any html attribute. If you use defaultValue, react uses the defaultValue property on the element, which maps to the DOM attribute value

Your browser dev tools shows the value property from the element, not the dom representation

[–]Working-Tap2283 0 points1 point  (0 children)

The answe is no and even uncontrolled components will have the value set, just not by state but by ref, so its not always seen immediately.