Password entered on /users/sign_in leak into page source

To reproduce:

1. Go to https://gitlab.com/users/sign_in
2. Attempt to login with an invalid username+password combination.
3. Click the 'Sign in' button.
4. The page should say "Invalid login or password", and the password field should have been cleared. However, if you view the page source you will find the following:

<input value="ThisIsThePassword" class="form-control bottom" id="user_password_sign_up" placeholder="Password" required="required" type="password" name="user[password]" />

The value entered into the password box has leaked down into the 'Create an account' form underneath.

I believe this is a minor security vulnerability. While GitLab is generally served over HTTPS and this only affects invalid passwords, it may allow someone with access to the computer to acquire what the user believes to be their password (which they may be using for other websites), even after the password would usually no longer be stored.

Added ~14106 label

Hi @wolfgang42, I just tried to reproduce this, and came up empty. See the attached screenshot. Did I do something wrong?

And are you sure this is not your password managers doing? When I disabled the password manager the field got completely cleared on a wrong password.

@zj The field you have selected in the Inspector is the existing user password field, the password gets put into the new user password field, an entirely different form on the same page.

Ah, you are right. I'm seeing this too now.

@DouweM Could you set a milestone for this issue?

Milestone changed to 8.7

@zj Done. Thanks for investigating!

Reassigned to @timothyandrew

I'm assuming no one has picked this up; ping me if you have.

mentioned in merge request !3691 (merged)

Status changed to closed by commit 6d899f46

mentioned in commit 6d899f46

made the issue visible to everyone