Closed
Bug 597129
Opened 14 years ago
Closed 14 years ago
Web page can steal paste text. Textbox in web page is changed to pasted text temporarily when execute "Paste & Go" or "Paste & Search" command.
Categories
(Firefox :: Address Bar, defect)
Firefox
Address Bar
Tracking
()
RESOLVED
FIXED
Firefox 4.0b7
Tracking | Status | |
---|---|---|
blocking2.0 | --- | beta7+ |
People
(Reporter: alice0775, Assigned: Dolske)
References
Details
(Keywords: privacy, Whiteboard: [sg:low])
Attachments
(2 files, 1 obsolete file)
364 bytes,
text/html
|
Details | |
5.10 KB,
patch
|
Gavin
:
review+
|
Details | Diff | Splinter Review |
Build Identifier: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b7pre) Gecko/20100916 Firefox/4.0b7pre ID:20100916041016 Textbox in web page changes to pasted text temporarily when execute "Past & Go" or "Pase & Search" command Reproducible: Always Steps to Reproduce1: 1. Start Minefield with new profile 2. Open URL ( about:home or http://search.yahoo.com/ etc) 3. Copy valid URL to clipboard 4. Right click in LocationBar and Select "Past & Go" in ContextMenu 5. Watch textbox of contentarea carefully. Steps to Reproduce2: 1. Start Minefield with new profile 2. Open URL ( about:home or http://search.yahoo.com/ etc) 3. Copy any text to clipboard 4. Right click in SearchBar and Select "Past & Search" in ContextMenu 5. Watch textbox of contentarea carefully. Actual Results: Textbox in web page changes to pasted text temporarily when execute "Past & Go" or "Pase & Search" command Expected Results: Should not change textbox of webpage.
Reporter | ||
Updated•14 years ago
|
Summary: Textbox in web page changes to pasted text temporarily when execute "Past & Go" or "Pase & Search" command → Textbox in web page is changed to pasted text temporarily when execute "Past & Go" or "Pase & Search" command
Reporter | ||
Comment 1•14 years ago
|
||
[STR] 1. Start Minefield with new profile 2. Copy valid URL/text to clipboard 3. Open URL ( testcase ) 4. Right click in LocationBar/SearchBar and Select "Past & Go"/"Past & Search" in ContextMenu [Actual] The testCase page steals pasted text
Reporter | ||
Updated•14 years ago
|
Severity: normal → major
blocking2.0: --- → ?
Target Milestone: --- → Firefox 4.0
Reporter | ||
Updated•14 years ago
|
Summary: Textbox in web page is changed to pasted text temporarily when execute "Past & Go" or "Pase & Search" command → Textbox in web page is changed to pasted text temporarily when execute "Paste & Go" or "Paste & Search" command
Reporter | ||
Updated•14 years ago
|
Summary: Textbox in web page is changed to pasted text temporarily when execute "Paste & Go" or "Paste & Search" command → Web page can steal paste text. Textbox in web page is changed to pasted text temporarily when execute "Paste & Go" or "Paste & Search" command.
Comment 2•14 years ago
|
||
This is caused by using cmd="cmd_paste", which I guess triggers the paste commend again after we've already pasted and gone. Dolske, any ideas for alternatives? I still don't know why the <observes/> that I used failed to work.
Assignee: nobody → fryn
Status: NEW → ASSIGNED
OS: Windows 7 → All
Hardware: x86 → All
Assignee | ||
Comment 3•14 years ago
|
||
Need to either fix this or back out Paste&Go for B7. Will look at this today.
blocking2.0: ? → beta7+
Assignee | ||
Comment 4•14 years ago
|
||
Bah. Yeah, the cmd= trick worked for enabling the new menuitem, but I didn't notice other code (the menu popup binding's oncommand) was using it to execute the specified command too. So, we were indeed triggering a paste command twice. This patch removes that hack, and just explicitly uses a popupshowing handler to enable/disable Paste&Go / Paste&Search in the usual way.
Assignee: fryn → dolske
Attachment #476981 -
Flags: review?(gavin.sharp)
Comment 5•14 years ago
|
||
Comment on attachment 476981 [details] [diff] [review] Patch v.1 >diff --git a/browser/base/content/urlbarBindings.xml b/browser/base/content/urlbarBindings.xml >- element.setAttribute("cmd", "cmd_paste"); I don't understand how this had any effect at all - the attribute usually used for this is "command", not "cmd", and I don't see any magic with command=cmd inheritance or anything like that. >+ this._contextMenu.removeEventListener("popupshowing", this, false); I don't think this is necessary. In fact I'd probably prefer just using a closure rather than passing "this" as the handler (makes retrieving the element simpler too). >+ <field name="_contextMenu"></field> >+ case "popupshowing": >+ var items = this._contextMenu.getElementsByAttribute("anonid", "paste-and-go"); >+ if (!items) >+ return; >+ var pasteAndGo = items[0]; (Not relevant if you follow my other suggestion, but does querySelector("[anonid=paste-and-go]") work for this?)
Assignee | ||
Comment 6•14 years ago
|
||
Attachment #476981 -
Attachment is obsolete: true
Attachment #477029 -
Flags: review?(gavin.sharp)
Attachment #476981 -
Flags: review?(gavin.sharp)
Assignee | ||
Comment 7•14 years ago
|
||
[As noted on IRC, the |cmd| magic happens in toolkit/content/widgets/textbox.xml's _setMenuItemVisibility().]
Updated•14 years ago
|
Attachment #477029 -
Flags: review?(gavin.sharp) → review+
Assignee | ||
Comment 8•14 years ago
|
||
Pushed http://hg.mozilla.org/mozilla-central/rev/2c20189106c0 Thanks for catching this, great find!
Target Milestone: Firefox 4.0 → Firefox 4.0b7
Assignee | ||
Updated•14 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•