Email conversation
From | Jack Z |
To | Me |
Subject | programmatically fire events |
Date | 11 September 2008 05:34 |
Hello Mark,
As with everyone else, I am very impressed at your tutorials for their
details and clarity.
I just have a simple question, in your DOM events tutorial, you mentioned
that when mannually firing events, for security reasons the default action
is not executed. However, I just want to confirm you that this is not the
case in Firefox (2/3, not sure about 1). I haven't tested the focus event,
but definitely for OnKeyPress and OnClick events, you can actually use
javascript to populate input boxes and click on buttons using these events
(in FF). In IE however, these default actions do not get fired. Of course,
you can get around this with element.click() or just use javascript to
modify element.value. So I don't really agree with you when you say it's a
security issue (after all, it is your page, so you won't get to gain much by
simulating UI events)
Regards,
Jack
From | Me |
To | Jack Z |
Subject | Re: programmatically fire events |
Date | 11 September 2008 07:58 |
Attachment | simple demo |
Jack,
> for OnKeyPress and
> OnClick events, you can actually use javascript to populate input
> boxes and click on buttons using these events (in FF)
This sounds quite scary and broken, but simple testing did not show this
behaviour. I have attached a simple demo that shows that keypress does not
populate the input. If you have any tests that show otherwise, I would be
extremely interested in seeing them.
The reasons that this could be a security issue are quite simple. Imagine
these scenarios:
1.
A page containing 1 input. JavaScript focuses the input. JavaScript
simulates the keypress event for the 'Tab' key. The address bar would now be
focused in Firefox if this were a real keypress. JavaScript fires the events
for the following keys, targeting the window object:
h, t, t, p, :, /, /, w, w, w, ., y, o, u, r, b, a, n, k, ., c, o, m, /
If that actually appeared in the address bar, then you would have a security
issue allowing you to spoof the page address
2.
A page containing an iframe, which loads your bank's website. JavaScript
fires a click event at the coordinates that place it over an input in the
iframe (say, a form field for 'transfer money to this account'). JavaScript
then fires key events in various sequences, targeting the iframe's window
object, that cause desired writing to appear in the form field. This causes
money to be transferred to an attacker's account.
I hope you can see the problems from those. Neither should be possible, and
to my knowledge, neither of those are possible, due to manually firing
events not actually creating the associated default action.
But please, if you have found something I have not found, send it to me for
analysis, because it is possible there is a serious bug here.
Mark 'Tarquin' Wilton-Jones - author of http://www.howtocreate.co.uk/
From | Jack Z |
To | Me |
Subject | Re: programmatically fire events |
Date | 11 September 2008 14:39 |
Attachment | simple demo |
Hello Mark,
I don't have time to comment on your scenarios (I am late for work :) but I
quickly modified your demo to make it work on my FF3 on Vista.
Thanks,
Jack
From | Me |
To | Jack Z |
Subject | Re: programmatically fire events |
Date | 11 September 2008 17:01 |
Jack,
> I don't have time to comment on your scenarios (I am late for work :)
> but I quickly modified your demo to make it work on my FF3 on Vista.
Thanks for that. Yes, it seems you have stumbled on a bug in Firefox. This
creation of characters and clicks certainly should not happen. I have been
through the scenarios and another one (typing in a file input could allow
upload of files) but it seems that since the bug only affects a few things,
none of the scenarios have any effect (meaning I did not find any security
issues in the process).
Note that it only affects form inputs (probably as an artefact of how they
are internally created from markup and scripts), so firing the click event
on a link does not open the link. It also seems limited only to printable
characters, so you cannot use UI shortcuts like TAB. It also cannot type in
file inputs.
It is still a bug, so since you found it, please report it to them using
their bug tracking system. I have a testcase here which you can point them
to:
http://www.howtocreate.co.uk/mozBugs/keyeventaction.html
Tarquin
From | Jack Z |
To | Me |
Subject | Re: programmatically fire events |
Date | 12 September 2008 03:58 |
Hi Tarquin,
Unfortunately, this is not a bug but a feature. Please look at [Firefox
1.5.0.2 changelog]
Which said that bug 303713:
https://bugzilla.mozilla.org/show_bug.cgi?id=303713
(textbox.dispatchEvent(keyEvent) no longer adds character to textbox in
Firefox 1.0.6.) is fixed. This means that dispatchEvent should in fact
trigger simulated key strokes. However, in the original example that you
showed me, you invoked a keypress event and no character was entered into
textbox. That behaviour should in fact be a bug, and you are the one who
discovered it ;)
Regards,
Jack
From | Me |
To | Jack Z |
Subject | Re: programmatically fire events |
Date | 15 September 2008 21:30 |
Jack,
> Unfortunately, this is not a bug but a feature.
Oh dear. So once again, Mozilla are deliberately breaking the spec and
being incompatible with all other browsers. Intentional or not, that is
not useful for anybody. The mistaken bug should be set to invalid, and
the issue fixed properly. Oh well, they have a habit of breaking spec
like this for no good reason except to maintain old mistakes and treat
them as features. This would not be acceptable if it were any other
browser, and it really should be no different for Mozilla either.
I am not going to push this further, though you really should, since it is
definitely a bug. I just hate that Mozilla are allowed to get away with
creating pointless incompatibilities, that invariably cause problems for
other browsers.