I am doing a password manager web app (like LastPass etc), one of the things that has occurred to me is that after using PHP to retrieve the passwords from a db and decrypting them and then using JS to display them in the UI, the variables containing their passwords are visible if someone looks at the source code. Even if I did not use JS and used echo instead it would still be in the source code. Does anyone know of a, hopefully not too complex, way that can prevent the passwords from being in the source code?
If you're talking about the HTML source code, this is normal. But there is a few way to avoid it:
inspect on the page he doesn't see the password you can use an input and set in javascript the value of it. then you set the input as disabled so the user cannot modify it. You can even change the type as password when needed so it's displayed as ****** when you want to hide it.:after and tu put the value inside it. But it will still be visible somewhere I think.