1.39 KB, text/html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:220.127.116.11) Gecko/20060426 Firefox/18.104.22.168 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:22.214.171.124) Gecko/20060426 Firefox/126.96.36.199 Now that bug 303713 is fixed, one can synthesize keystroke events to deliver characters to DOM elements. This includes sending a space to a button, thus activating its onclick handler or causing a form submission. However, synthesizing non printing characters such as arrow keys (where charCode is 0 in the keypress event) has no effect. Reproducible: Always Steps to Reproduce: In the accompanying attachment, pressing the buttons marked simple will cause focus to go to the textarea, followed by a synthesized keypress event directed at the textarea. Pressing the button marked complete will include synthesis of the keydown and keyup events, too. Actual Results: Only the printing character, 'c', is inserted into the textarea. If a left arrow synthesis is attempted, the caret is not moved. Expected Results: When non printing characters are synthesized, the corresponding default behaviour should result unless it is a security violation. For example, ctrl+v should not have any effect. Also, ctrl+number probably shouldn't activate the corresponding tab (unless it's a related window). Csaba Gabor from Vienna
Created attachment 222022 [details] Synthesizing non printing keys (arrows) has no effect This attachment shows that the default action is not carried out when non printing keys are synthesized. Press the buttons on the attachment to synthesize a keypress event and see the result in the textarea (specifically, check for the caret position).
Generally, speaking editor operations (moving the caret, clipboard operations, etc) from a web page _are_ a security violation. Hence the current behavior.
Synthesizing arrow key events could also be used for the autocomplete fill by automatically selecting something from the autocomplete popup and then synthesizing the enter key. This way, a malicious script could steal information from the autocomplete history. It's not useful to sign threads, because every comment contains already your name/e-mail address.
https://bugzilla.mozilla.org/show_bug.cgi?id=1472046 Move all DOM bugs that haven’t been updated in more than 3 years and has no one currently assigned to P5. If you have questions, please contact :mdaly.
Priority: -- → P5
You need to log in before you can comment on or make changes to this bug.