Symfony：一个'输入'中的两个'值'

After scanning by the vulnerability scanner, it issued the following

Using the POST HTTP method, Nessus found that :

+ The following resources may be vulnerable to blind SQL injection :

+ The 'login_form[login]' parameter of the /en CGI :

/en [forgot_password_form[email]=&login_form[password]=&login_fo
rm[_token]=msXdk4BmVTJpDGVgL2krii8WoAdK3DqDqgteG8ZgEbo&contact_form[_tok
en]=NgJelrgpii_zUASWKBGtpBfVkTggOiEs0ZeM2GVEV5A&contact_form[email]=&con
tact_form[text]=&forgot_password_form[_token]=s6Dq4s0-K4gL3a6NZPh93sm4ND
LGyYoXAkLPwX2BbGw&login_form[login]=zz&login_form[password]=&login_form[
_token]=msXdk4BmVTJpDGVgL2krii8WoAdK3DqDqgteG8ZgEbo&contact_form[_token]
=NgJelrgpii_zUASWKBGtpBfVkTggOiEs0ZeM2GVEV5A&contact_form[email]=&contac
t_form[text]=&forgot_password_form[_token]=s6Dq4s0-K4gL3a6NZPh93sm4NDLGy
YoXAkLPwX2BbGw&login_form[login]=yy]

-------- output --------
[...]
<form name="login_form" method="post">
<div id="login_form"><ul><li>The CSRF token is inval
id. Please try to resubmit the form.</li></ul><div><input type="text" id
="login_form_login" name="login_form[login]" required="required" class="
form-control" placeholder=".........." /></div><div><input type="p [...]
</div>

-------- vs --------
[...]
<form name="login_form" method="post">
<div id="login_form"><ul><li>The CSRF token is `inval`
id. Please try to resubmit the form.</li></ul><div><input type="text" id
="login_form_login" name="login_form[login]" required="required" class="
form-control" placeholder=".........." value="yy" /></div><div><in [...]
</div>

In "builder" added "'value' => ''"

public function buildForm(FormBuilderInterface $builder, array $options){

    $builder
        ->add('login', TextType::class, array('label'=> false, 'attr' =>     
        array('class' => 'form-control', 'placeholder' => 'Login',
        'autocomplete' => 'disabled', 'value' => '')))

After this, post request return input with two 'value'

    <input type="text" id="login_form_login" name="login_form[login]"   
    required="required" class="form-control" placeholder="Login"
    autocomplete="disabled" value="" value="yy" />

Is it possible to remove the second value of the response (after POST request), or is there a way to solve the problem in another way