I don't see how this is a security hole, unless the website gets hacked in another way. Every time you sign up for an account the website could save your password in plaintext which they could view later. Same thing for signing in, a website could just save the submitted password.
If for some reason my logic is flawed, then a lot of information would have to be denied, essentially and operation on a password input. You'd have to disable and .type, .val, and probably a couple of others on password fields.
Most websites include a host of javascript from other sites, like Google Analytics, Like-Buttons, Ads, and so on. If they all can get to the password it seems like an issue to me.
Personally I am surprised by this. Afaik you can not copy+paste the password from a password form field, so I just somehow assumed you couldn't get to it via JavaScript, either.
If a script wants to gain access to the prefilled stuff it has to come from the website creator unless the website is hacked with sql injection or something like that, which still has the same problem- if they really want your password, on signin the website can just get the password value of the form and save it somewhere,.
@david_nash
I would completely disagree. C5 template development is one of the easiest i've ever seen. Just a few snippets of php embedded in html.
In terms of your problem with the dashboard url, theres a login link at the bottom of most themes and when logged in theres a big honking button that says dashboard. not too complicated.
At first I thought c5 would only be good for simple brochure style sites, but when I got into the internals I found that its a ton easier to build massive sites with than many other cms/blogs like wordpress ( a lot less confusing for the customer too).
If for some reason my logic is flawed, then a lot of information would have to be denied, essentially and operation on a password input. You'd have to disable and .type, .val, and probably a couple of others on password fields.