Open Bug 1699959 Opened 3 years ago Updated 3 years ago

paste into text area is hidden

Categories

(Core :: DOM: Editor, defect, P3)

Product:
Core
Component:
DOM: Editor
Version:
Firefox 86
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: frederik-mozilla, Unassigned)

Details

(Keywords: testcase-wanted)

Attachments

(3 files)

step 4
52.63 KB, image/png
Details
Step 5
38.14 KB, image/png
Details
step 6
24.72 KB, image/png
Details
Attached image step 4

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:86.0) Gecko/20100101 Firefox/86.0

Steps to reproduce:

  1. Install the Textern extension. This is not a bug in Textern, keep reading

  2. Try to submit a review on Yelp

  3. Edit the review text using Textern's configured external editor

  4. The text area shows the text from the editor superimposed with the prompt text that had been visible when the area was empty (this is not a Firefox bug, it belongs to Textern or Yelp)

  5. Try pasting something from the clipboard. There is apparently no change in the text area.

  6. When you submit the review, you'll see that it includes the text you pasted.

The biggest problem for Firefox is #6.

If you add this step, you can see that even a user with perfect memory will be confused:

4a. Ctrl-a Ctrl-x. Ctrl-a selects the text you entered, and Ctrl-x should cut it, but doesn't.

Usually, if a website (Github, Stack Exchange) doesn't register that Textern has changed the text area, I can fix this with Ctrl-a Ctrl-x Ctrl-v. These keystrokes, typed in a text area, should never reveal private information to a website. That means that this is both a bug and a security hole.

My personal opinion is that #5 is also a problem, because most users don't have a ready memory of what is in the clipboard, and depend on seeing the result of "Paste" to know if it is private or not.

Please do not close this as a bug in Textern. After Textern edits the text area, it is no longer running.

Please correct me if I'm wrong, but it seems clear that it is possible to recreate the bug using just JavaScript and no extensions. I think this could be done using a textarea that blocks "cut" but allows "paste", but it might also have to duplicate whatever Yelp is doing to make the paste invisible. It's outside of my abilities to create a minimal test case. I'm reporting this because it is a security issue that concerns me, not because I can fix it.

I'm attaching screenshots for steps 4, 5, and 6. Thanks.

Attached image Step 5
Attached image step 6

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Editor' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → DOM: Editor
Product: Firefox → Core

Textern just set value of <textarea> or innerHTML of <div contenteditable>.
https://github.com/jlebon/textern/blob/876a83bfac82328120069a75a80aaa2763aed786/webex/content.js#L118

And it does not watch the DOM tree change of contenteditable. So, sounds like the step#6 result must be valid behavior.

On the other hand, the step#5 behavior is indeed a problem for users. However, isn't it occur only in Yelp? If so, I guess that the pasted content is in an element whose color is transparent or whose style is just invisible (e.g., display: none). Could you check the style of pasted content in Yelp with Inspector of Web Developer Tools?

Flags: needinfo?(frederik-mozilla)

Sorry, I'm too busy to be very responsive on this bug. I think what is needed is a minimal test case, so that people can reproduce it without installing Textern. I'm not sure if it should use transparent text or invisible text, I think as long as it blocks "cut" and makes "paste" invisible then you have a problem.

Flags: needinfo?(frederik-mozilla)
Severity: -- → S3
Keywords: testcase-wanted
Priority: -- → P3

I'm not sure if anyone has read this bug closely enough to act on it, but it is a security hole and I wanted to point out that the easiest way to fix it would be to simply clear the clipboard whenever the user presses Ctrl-X. This clearing should happen whether or not the web page or text area overrides the copy/paste commands. If you do this then the user's expectation will be satisfied, namely that he can type Ctrl-V after Ctrl-X in any web page without revealing anything private.

I would prefer of course if Firefox gave me an easy way to disable the APIs that provide web pages with the ability interact directly with the clipboard.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: