[wp-trac] [WordPress Trac] #33601: Pasting a password on an iOS device doesn't work properly
WordPress Trac
noreply at wordpress.org
Sat Aug 29 21:31:15 UTC 2015
#33601: Pasting a password on an iOS device doesn't work properly
-----------------------------+-----------------------------
Reporter: magicroundabout | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Users | Version: trunk
Severity: normal | Keywords:
Focuses: |
-----------------------------+-----------------------------
I've noticed an issue with pasting a password into a user profile on an
iOS device.
I've replicated this on 4.3 and the latest nightly (4.4-alpha-33636)
Here's a (slightly slow and awkward) video showing the problem:
[http://www.youtube.com/watch?v=dq1xt_ahbL4]
The basic steps to replicate this are:
* Edit a user profile on an iOS device
* Copy a password from somewhere into the iOS clipboard
* Tap the "generate password" button
* Use the iOS Select All and Paste function to add your own password into
the box
* Click the "Update User" button
* Open a new, logged-out browser window and attempt to log in as that user
This can be overcome by using the iOS keyboard to edit the password after
you've pasted it in.
My guess was that a keyup or update event was triggering a fill of some
hidden fields. This seems to be the case. The one displayed field has name
"pass1-text". This populates two hidden fields called "pass1" and "pass2".
The back-end code uses the values of pass1 and/or pass2 to actually update
the password's value.
There's two issues here.
The first and most obvious is that the paste event isn't triggering the
update of pass1 and pass2. This LOOKS like it could be fixed by changing
line 50 of user-profile.js to be:
{{{
.on('keyup paste', function () {
}}}
BUT I tried this and it turns out the paste event fires before the input's
.val() is updated. There's numerous solutions to this but they all feel
pretty hacky (see http://stackoverflow.com/questions/2176861/javascript-
get-clipboard-data-on-paste-event-cross-browser for example). I could have
a go at a patch, but I suspect it needs input from someone who's better at
JS than I am.
The second issue is that the password SEEMS to be changed in the back-end,
event if the submitted pass1-text is different to the values of pass1 and
pass2.
In the case of the failed paste, the POST'ed pass1 and pass2 have the
value that was populated when I clicked "Generate password", but
pass1-text is different - it has the value I pasted in. I don't know if
you want an additional validation check here? Or maybe it's OK as long as
we sort out the JS and population of pass1 and pass2?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/33601>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list