September 28, 2012

Difference between typing and pasteing in a field

Question by Ferenc Dajka

If I use xss, what’s the difference between typing in ALERT(‘DSSA’);, or just paste it to a search textfield? In a site, typing works, and makes the alert, but if I just paste it, than it doesn’t. To prevent the question, I don’t want to hack any site, I’m just interested in network security.

thanks for the answer

Answer by Starx

I may not have understood the question properly.

Typing triggers keyUp, keyDown and keyPress events on the element. If the codes are programmed to capture them only, then only those events will be captured.

Pasting can be done using keyboards, mouse and browser options. So this depends on which events you are listening too. There is a separate event called onpaste which will ease everything.

What I mean is, lets say my code is written to capture the pasting my pressing “Ctrl” + “v” only, but if mouse and browser options are used to paste on the
element, then it is configured to capture mouse events also, it cannot
be captured.


Please fill the form - I will response as fast as I can!