From 71d079c9f35873385adae647dea00b3e02053ff3 Mon Sep 17 00:00:00 2001
From: ralf <rb@egroupware.org>
Date: Fri, 25 Feb 2022 13:52:36 +0200
Subject: [PATCH] only send password (or hash) to client-side, if explicitly
 requested

---
 api/src/Etemplate/Widget/Password.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/api/src/Etemplate/Widget/Password.php b/api/src/Etemplate/Widget/Password.php
index 3e7cbe9997..b0797d787e 100644
--- a/api/src/Etemplate/Widget/Password.php
+++ b/api/src/Etemplate/Widget/Password.php
@@ -58,11 +58,11 @@ class Password extends Etemplate\Widget\Textbox
 			$preserv =& self::get_array(self::$request->preserv, $form_name, true);
 			$preserv = (string)$value;
 
-			if (!empty($value) && ((array_key_exists('viewable', $this->attrs) && $this->attrs['viewable'] === 'false') || $plaintext))
+			// only send password (or hash) to client-side, if explicitly requested
+			if (!empty($value) && (!array_key_exists('viewable', $this->attrs) || !in_array($this->attrs['viewable'], ['1', 'true', true], true)))
 			{
 				$value = str_repeat('*', strlen($preserv));
 			}
-			//$value = str_repeat('*', strlen($preserv));
 		}
 	}
 
@@ -146,4 +146,4 @@ class Password extends Etemplate\Widget\Textbox
 		$response->data($decrypted);
 	}
 }
-Etemplate\Widget::registerWidget(__NAMESPACE__.'\\Password', array('passwd'));
+Etemplate\Widget::registerWidget(__NAMESPACE__.'\\Password', array('passwd'));
\ No newline at end of file