It is possible to circumvent the maxlength property of an input field by exploiting autocomplete.




16 years ago
13 years ago


(Reporter: cheald45, Assigned: mats)



Firefox Tracking Flags

(Not tracked)



(2 attachments)



16 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4b) Gecko/20030429 Mozilla Firebird/ StumbleUpon/1.60
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4b) Gecko/20030429 Mozilla Firebird/ StumbleUpon/1.60

I have a form that I am developing, with a MAXLENGTH="35" property. I also have
some test data stored in my autocomplete buffer that is 35 characters long. I
can enter 36 characters into the field with the following procedure. (See
procedure box)

Reproducible: Always

Steps to Reproduce:
1. Select the input field with the maxlength parameter set.
2. Enter the first two characters of your string.
3. Select an entry from the autocomplete box
4. Hit home to go to the beginning of the string.
5. Fill the field to length with data
6. Arrow to another entry
7. Press a key. That character will be entered into the field, taking its length
to maxlength + 1.

Also, I've noticed that by arrowing to an entry, pressing a key, arrowing to
another, another key, etc etc, I can sometimes make entries disappear from the
autocomplete box. However, this is so sporadic that I can't seem to formulate a
replication procedure.
Actual Results:  
I can enter maxlength + 1 characters into a input field.

Expected Results:  
It should have limited the field to maxlength characters.

I'm using the April 29th nightly with the standard theme. No extensions that
affect the autocompletion are installed.
Chris, you mentioned a form you are developing. Can you provide a testcase based
on your development, so that others can test and confirm this behaviour. Without
a clear testcase, these things are difficult to fix.

Comment 2

16 years ago
Created attachment 122579 [details]
Example form that I am producing the problem with

The field in question here is "COMPANY" - I exploited the bug on that field,
but I am able to replicate this problem with any input text field with a
maxlength value assigned.

Comment 3

16 years ago
I just read over my procedure, and I realize I omitted one important detail in
my final draft: There must be at least two autofill options in the autofill box
before this is exploitable. I haven't tried it without autofill data, but I
imagine it would still apply.

Comment 4

16 years ago
I can confirm this problem using Mozilla/5.0 (Windows; U; WinNT4.0; en-US;
rv:1.4b) Gecko/20030504 Mozilla Firebird/0.6 together with a stripped down
version of my webmailer's login page.

Comment 5

16 years ago
Created attachment 122654 [details]
Another test-case to reproduce the bug

Steps to reproduce the problem contained in the test-case. I can confirm also
the problem of getting empty entries in the autocomplete dropdown, but
currently don't have detailed steps to 100% recreate this effect...

Comment 6

16 years ago
Confirming this one since we have a reproducible testcase for the problem.
Ever confirmed: true

Comment 7

16 years ago
Taking QA. Sorry for the bugspam
QA Contact: asa → davidpjames

Comment 8

14 years ago
Could this be related/duped to bug 207623?  A WFM on the trunk would be a dead
Assignee: hewitt → nobody
QA Contact: davidpjames →
Form fill no longer fills in the selected text as you navigate through items in
the dropdown using the keyboard.

Can somebody confirm WFM?

Comment 10

13 years ago
WFM on mozilla1.8 branch:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b5) Gecko/20051006

Trunk, anyone?

Comment 11

13 years ago
Still occurs (2005-10-07-01 Linux), but different steps to reproduce:

1. load a testcase with a <input MAXLENGTH=N>
2. copy some text that is N chars long to the clipboard
3. click on the text input and paste (CTRL+V)
4. TAB then SHIFT-TAB (text should now be selected)
5. ARROW_RIGHT (text is deselected)
6. SHIFT-ARROW_LEFT (last char is now selected)
7. Paste (CTRL+V) => 2*N-1 chars is now in the text field

I will attach a patch in bug 299417 shortly which fixes this bug too.
Assignee: nobody → mats.palmgren
Depends on: 299417
Keywords: testcase
OS: Windows 2000 → All

Comment 12

13 years ago
-> FIXED (by bug 299417)
Last Resolved: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.