Untrusted applet/copy conundrum

[Andrew Thompson]

Can an untrusted applet provide 'Ctrl C' copy ability
for text fields?

I thought not, but my results are confusing, at best.

Further details (with applet, links to code
and JWS launch, notes..) here.
<http://www.physci.org/test/applet/001/>

Andrew T.

 

[Knute Johnson]

Can an untrusted applet provide 'Ctrl C' copy ability
for text fields?

I thought not, but my results are confusing, at best.

Further details (with applet, links to code
and JWS launch, notes..) here.
<http://www.physci.org/test/applet/001/>

Andrew T.

Andrew:

I'm currently running 1.6.0beta2 on a WinXP machine running Firefox
1.5.0.5 and I can cut, copy, and paste every which way. I tried both
your JApplet and my own test code using Applet and JApplet. I tried
your code with IE 6 as well and it worked fine. The really interesting
thing is that in an Applet, the TextField has a popup menu with Undo,
Cut, Copy, Paste and SelectAll which must be a function of it's Windows
peer.

 

[Andrew Thompson]

....
I'm currently running 1.6.0beta2 on a WinXP machine running Firefox
1.5.0.5 and I can cut, copy, and paste every which way. ...

(snip further details)

Thanks for the report. More data to mull over.

Andrew T.

 

[Thomas Hawtin]

Can an untrusted applet provide 'Ctrl C' copy ability
for text fields?

I thought not, but my results are confusing, at best.

I was under the impression that AWT TextFields could (by nature of their
native nature) and Swing JTextFields could not. As you have found out
this is not the case.

At some point it has been hacked around. What happens is this:

When you the Toolkit generates an event that may represent a copy &
paste action (^X, ^C, ^V, shift-insert, control-insert, middle button,
or whatever) that even is marked as a C&P event in a hidden field. You
cannot create an event like this, and I believe it gets clobbered after
returning from the dispatch. So you can't create or usefully collect one
of these events and the post it to the event queue.

The C&P event handling code checks that there is no user code on the
stack (a highly dubious check, IMO). It checks and clears the hidden
field. If everything is okay, it goes ahead with the action. This stops
you rerouting the event.

What isn't checked is that the text field is actually displaying
anything like a text field. If you were determined, you could make
middle button clicks common in your user interface for non-C&P actions,
or appear to be using C&P internally but actually sneaking a peak at the
system clipboard while faking.

Tom Hawtin

 

[Andrew Thompson]

I was under the impression that AWT TextFields could (by nature of their
native nature)

Right! Yeah, I forgot that detail. It is not of major
relevance to the Swing problem directly, but it may
well provide a solution fo the OP on the original
thread on c.l.j.help, if the Swing copy functionality
turns out to be unsuited to his end user requirement.

Thanks for reminding me.

...and Swing JTextFields could not. As you have found out
this is not the case.

(...snip..)

Yeah.. it is very odd. Or rather, it will probably seem
very less odd after I get a chance to digest your analysis,
...but right now, I'm off to bed.

Thanks for your input.

Andrew T.