We should treat it the way users expect "secret" information like this to be shown – hashed out until a user interacts with it (at least in JS mode; probably not worth it for PHP).
|mediawiki/core||master||+16 -9||Preferences: Don't show the watchlist token; just link to ResetTokens|
|Open||None||T64559 Redesign Special:Preferences (tracking)|
|Resolved||Volker_E||T180538 Improve Special:Preferences UI/UX|
|Resolved||Jdforrester-WMF||T180710 On the "Watchlist" preferences panel, don't show the user's watchlist token; instead just link to Special:ResetTokens|
For historical context, this preference used to be an editable text field a long time ago, but then we realized people don't understand it, so that was removed and replaced with Special:ResetTokens, but the preference help text remained on Special:Preferences.
I'm not sure if there is a reason to display it at all? We could just replace it with a link/button to Special:ResetTokens, like we do e.g. for the password.
I suppose it's there for people to copy-paste into third party tools like AWB? Though it's available on Special:ResetTokens, the interface isn't lovely. Maybe we should just make that interface better though, yeah, let's do that.
Slightly related (I didn't test whether the above patch also fixes this, but it doesn't seem unlikely, so I'll comment here instead of a new task): Currently the info text about the token is duplicated, once below (directly visible) and once behind the help icon:
(To all hackers reading this: No, this is no longer my watchlist token, apart from the fact that my watchlist on beta.wmflabs doesn't contain anything interesting).