Disable Paste Disabling

Circumvent those pesky fields that prevent text pasting

Traveling Tech Guy
Aug 10, 2016 · 5 min read

One day, some genius came up with the brilliant idea to disable pasting text into password fields on new profile creation pages. Said genius probably figured that forcing users to manually type each character of their new passwords, would make users remember their passwords better. I’m sure he thought it increases security for the site, and lowered the chance of users reusing their favorite “p@$$w0rd123”.

As a bonus, the genius hoped this would disrupt those pesky bots that keep creating endless bogus profiles on the site — completely forgetting that if you can program a bot to read ReCaptchas that I have no chance of deciphering, it shouldn’t take much to have them input characters one at a time into a field.

To manage my tons of online profiles I use a password manager. As part of creating a new profile, the app generates a secure random password, 20–64 characters in length, made of upper/lower case, numbers, spaces and symbols. The app is available on every device I have, and allows copy-pasting passwords into other apps or sites. The idea is that I’ll never need to type that password. The last thing I want to do is type a long password, character by character, on a phone touch-keyboard, making mistakes along the way, and risking locking myself out of my account.

So when I hit this annoyance again, I decided to spend a few minutes to figure out how to circumvent this behavior. It’s quite simple, and in most cases you can do it too. All you need is a web browser, Developer Tools enabled (Safari), and basic knowledge of JavaScript.

Here’s the form I needed to fill out. I removed site name — not sure how happy they’d be with this post 😊. Notice the “Things are about to get easier” header, right before they force you to type 20 characters:

The password field prevents pasting, making sure you enjoy typing at least 6 characters

How to circumvent paste prevention in a form

The key fact to remember is that event handling in a web form is done entirely on the client-side (browser), through JavaScript. You have access to all JavaScript files your browser downloaded with the page. And the code is readable, and changeable on the fly.

To prevent pasting in a text field, a developer needs to handle the `paste` event, and prevent the default behavior that occurs when it’s triggered (namely, text gets pasted). So we’re looking for a code pattern that looks like one of these:

Paste event disabling patterns

So let’s open Developer Tools and look at the code behind our culprit form. Hit whatever combination brings up Developer Tools in your browser (<Ctrl> + <Shift> + <i> in Windows, <Command> + <Shift> + <i> in Mac) or just right-click in the page and choose “Inspect”.

Chrome Developer Tools on Windows

We’re interested in JavaScript, so let’s switch to the “Sources” tab, highlight the top of the tree that appears on the left, and search all the files for the word “paste”:

The sources tree shows all resources loaded by the page

Only consider files with a “.js” extension. In my case, there are 6 occurrences of “paste”, in 2 JS files. Clicking the first displays its source in the “Sources” pane:

The Search pane shows 2 files, with 3 matches each

The source file displayed may look like a single line of jumbled characters. That’s because it has been “minified” — a process that makes JS files smaller, for faster transmission over the net, as well as less readable to casual observers. Luckily, Developer Tools has us covered: hit the “pretty print” button (looks like {} — highlighted above), and you can read the source:

Line 8915 looks like what we’re looking for…

As you can see, line 8915 is a definition of a function called ‘preventPaste’ that matches the third pattern mentioned above. Great, we’ve identified our culprit!
Now let’s add a breakpoint at line 8916 — the body of the function — to make sure our function stops executing. To add a breakpoint, click the gutter to the left of line 8916. That’ll add a visible arrow to the line:

Color of the breakpoint may vary

Now let’s paste some text into the form. If all was done right, the code execution will stop at our breakpoint. If not, just look for the next occurrence of “paste” and add a breakpoint there. But most probably you should see:

Notice the “Paused in debugger” alert

Great, so now we paused the execution of the handling logic, how should we proceed? The function is receiving one parameter — ‘a’ the paste event. It has properties, and functions. It then calls the ‘preventDefault’ function of ‘a’, to prevent the default behavior — text pasting. So all we need to do is replace ‘a’ with a bogus object, that has a ‘preventDefault’ function that does nothing. Switch to the ‘Console’ tab at the bottom, type the following and hit “Enter”:

You should get a confirmation line that your object has been accepted

Now hit the “Play” button on the top right to resume the script’s execution. If all was done correctly, your password has now been pasted into the field:

Success!

This may not be the easiest, or quickest, way to circumvent paste disablement; but it means I can paste longer passwords without typos.
Since the code pattern is quite predictable, I’m entertaining the thought of creating a Chrome extension that will inject my bogus object into any ‘paste’ event handler. I hope that by the time I actually get around to this, this anti-pasting anti-pattern will have become a thing of the past.

Traveling Tech Guy

Written by

Just a simple, hard-working traveling tech guy. Follow my tech adventures around the planet at http://www.TravelingTechGuy.com