Firefox 77 won't truncate text exceeding max length to address password pasting issues

Mozilla plans to address an annoying issue in Firefox 77 related to pasting on sites that set a maxlength attribute to prevent password truncation when submitting form data.

Imagine the following scenario: you use a password manager to generate secure passwords when you sign-up for a service on the Internet or change an existing account password. Your expectation is that the entire password is pasted into the password field and submitted to the server.

If the developer of the site set a max length attribute for the password field, the pasted password will get truncated automatically. The truncated password is submitted to the server and accepted as the user password. When you then try to sign-in to the service, you will notice that the original password is not accepted because of the truncation.

Most sites don't reveal to the user that the password or other text has been truncated; this is especially problematic for passwords as you cannot easily verify the input unless a "reveal" option is attached to the field.

Mozilla found a solution for the issue that won't change site functionality but addresses the underlying issue. Firefox will mark the form control as invalid when a string that has been entered into the field exceeds the maximum length attribute (if set). The user will be notified about the issue so that it can be corrected before the data is sent to the server.

firefox text input warning

Firefox displays a red border around the field and a message that informs the user about the issue, e.g. "Please shorten this text to XYZ characters or less (you are currently using ABC characters" and paints a red border around the password field to highlight the problem.

The form cannot be submitted until the issue has been resolved; this usually means changing the entered text to match the maximum length attribute of the field.

Mozilla's solution prevents that the server receives a longer than expected password or string.

firefox editor truncate user pastes

Firefox users may turn off the new behavior by setting the new preference editor.truncate_user_pastes to TRUE.

  1. Load about:config in the Firefox address bar (make sure you run Firefox 77 or newer).
  2. Search for editor.truncate_user_pastes.
    1. Set the value to TRUE to disable the functionality.
    2. Set the value to FALSE to enable it (default).

You can check out the bug on Mozilla here for additional information on the implementation.

Closing Words

Mozilla's implementation addresses a long standing problem that users who paste passwords into password fields (and text into some other fields) may have experienced while using forms on the Internet. It is not just a problem of manually pasting content but may also occur if password manager extensions are used to paste.

Post a Comment

0 Comments