[wp-trac] [WordPress Trac] #33601: Pasting a password on an iOS device doesn't work properly

WordPress Trac noreply at wordpress.org
Sat Aug 29 21:31:15 UTC 2015

#33601: Pasting a password on an iOS device doesn't work properly
 Reporter:  magicroundabout  |      Owner:
     Type:  defect (bug)     |     Status:  new
 Priority:  normal           |  Milestone:  Awaiting Review
Component:  Users            |    Version:  trunk
 Severity:  normal           |   Keywords:
  Focuses:                   |
 I've noticed an issue with pasting a password into a user profile on an
 iOS device.

 I've replicated this on 4.3 and the latest nightly (4.4-alpha-33636)

 Here's a (slightly slow and awkward) video showing the problem:

 The basic steps to replicate this are:

 * Edit a user profile on an iOS device
 * Copy a password from somewhere into the iOS clipboard
 * Tap the "generate password" button
 * Use the iOS Select All and Paste function to add your own password into
 the box
 * Click the "Update User" button
 * Open a new, logged-out browser window and attempt to log in as that user

 This can be overcome by using the iOS keyboard to edit the password after
 you've pasted it in.

 My guess was that a keyup or update event was triggering a fill of some
 hidden fields. This seems to be the case. The one displayed field has name
 "pass1-text". This populates two hidden fields called "pass1" and "pass2".
 The back-end code uses the values of pass1 and/or pass2 to actually update
 the password's value.

 There's two issues here.

 The first and most obvious is that the paste event isn't triggering the
 update of pass1 and pass2. This LOOKS like it could be fixed by changing
 line 50 of user-profile.js to be:

 .on('keyup paste', function () {

 BUT I tried this and it turns out the paste event fires before the input's
 .val() is updated. There's numerous solutions to this but they all feel
 pretty hacky (see http://stackoverflow.com/questions/2176861/javascript-
 get-clipboard-data-on-paste-event-cross-browser for example). I could have
 a go at a patch, but I suspect it needs input from someone who's better at
 JS than I am.

 The second issue is that the password SEEMS to be changed in the back-end,
 event if the submitted pass1-text is different to the values of pass1 and

 In the case of the failed paste, the POST'ed pass1 and pass2 have the
 value that was populated when I clicked "Generate password", but
 pass1-text is different - it has the value I pasted in. I don't know if
 you want an additional validation check here? Or maybe it's OK as long as
 we sort out the JS and population of pass1 and pass2?

Ticket URL: <https://core.trac.wordpress.org/ticket/33601>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list