The "session expiry" and "XSRF token missing" pages will echo any submitted values. This may result in echoing the submitted password to the page in plain text if triggered on the WebSudo authentication page.

Modify the error pages (session_expired.jsp and xsrf_missing.jsp) so they don't echo parameters whose names contain password.

To reproduce, go to a wedsudo prompt, then log out in another tab, then submit the websudo form. Your password will be echoed back to you.