From 8936a840922e8fb861934f3f4db89886d2388e71 Mon Sep 17 00:00:00 2001
From: Edgar Chen <echen@mozilla.com>
Date: Wed, 12 Jan 2022 14:24:02 +0000
Subject: [PATCH] Bug 1695636 - Part 3: Do not trigger form submission or click
 event for untrusted key event; r=masayuki

Differential Revision: https://phabricator.services.mozilla.com/D135464
---
 dom/html/HTMLInputElement.cpp                 |   5 +-
 .../input-untrusted-key-event.html            | 123 ++++++++++++++++++
 2 files changed, 126 insertions(+), 2 deletions(-)
 create mode 100644 testing/web-platform/tests/html/semantics/forms/the-input-element/input-untrusted-key-event.html

diff --git a/dom/html/HTMLInputElement.cpp b/dom/html/HTMLInputElement.cpp
index bb40df61ab5e..1ea7df54caa2 100644
--- a/dom/html/HTMLInputElement.cpp
+++ b/dom/html/HTMLInputElement.cpp
@@ -3730,7 +3730,8 @@ nsresult HTMLInputElement::PostHandleEvent(EventChainPostVisitor& aVisitor) {
       FireChangeEventIfNeeded();
       aVisitor.mEventStatus = nsEventStatus_eConsumeNoDefault;
     } else if (!preventDefault) {
-      if (keyEvent && ActivatesWithKeyboard(mType, keyEvent->mKeyCode)) {
+      if (keyEvent && ActivatesWithKeyboard(mType, keyEvent->mKeyCode) &&
+          keyEvent->IsTrusted()) {
         // We maybe dispatch a synthesized click for keyboard activation.
         HandleKeyboardActivation(aVisitor);
       }
@@ -3823,7 +3824,7 @@ nsresult HTMLInputElement::PostHandleEvent(EventChainPostVisitor& aVisitor) {
            *     not submit, period.
            */
 
-          if (keyEvent->mKeyCode == NS_VK_RETURN &&
+          if (keyEvent->mKeyCode == NS_VK_RETURN && keyEvent->IsTrusted() &&
               (IsSingleLineTextControl(false, mType) ||
                IsDateTimeInputType(mType) ||
                mType == FormControlType::InputCheckbox ||
diff --git a/testing/web-platform/tests/html/semantics/forms/the-input-element/input-untrusted-key-event.html b/testing/web-platform/tests/html/semantics/forms/the-input-element/input-untrusted-key-event.html
new file mode 100644
index 000000000000..607b0c51ef6e
--- /dev/null
+++ b/testing/web-platform/tests/html/semantics/forms/the-input-element/input-untrusted-key-event.html
@@ -0,0 +1,123 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+<title>Forms</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+<body>
+<div id="log"></div>
+<form id="input_form">
+  <input type="submit" value="submit"><br>
+</form>
+<script type="module">
+import inputTypes from "./input-types.js";
+
+const form = document.querySelector("form");
+form.addEventListener("submit", (e) => {
+  e.preventDefault();
+  assert_true(false, 'form should not be submitted');
+});
+
+// Create and append input elements
+for (const inputType of inputTypes) {
+  let input = document.createElement("input");
+  input.type = inputType;
+  form.appendChild(input);
+}
+
+const submit = document.querySelector("input[type=submit]");
+submit.addEventListener("click", function(e) {
+  assert_true(false, 'input submit should not be clicked');
+});
+
+// Start tests
+for (const inputType of inputTypes) {
+  let input = document.querySelector(`input[type=${inputType}]`);
+  input.addEventListener("click", function(e) {
+    assert_true(false, `input ${inputType} should not be clicked`);
+  });
+
+  test(() => {
+    // keyCode: Enter
+    input.dispatchEvent(
+      new KeyboardEvent("keypress", {
+        keyCode: 13,
+      })
+    );
+
+    // key: Enter
+    input.dispatchEvent(
+      new KeyboardEvent("keypress", {
+        key: "Enter",
+      })
+    );
+
+    // keyCode: Space
+    input.dispatchEvent(
+      new KeyboardEvent("keypress", {
+        keyCode: 32,
+      })
+    );
+
+    // key: Space
+    input.dispatchEvent(
+      new KeyboardEvent("keypress", {
+        key: " ",
+      })
+    );
+  }, `Dipatching untrusted keypress events to input ${inputType} should not cause form submission or click event`);
+
+  test(() => {
+    // keyCode: Enter
+    input.dispatchEvent(
+      new KeyboardEvent("keydown", {
+        keyCode: 13,
+      })
+    );
+    input.dispatchEvent(
+      new KeyboardEvent("keyup", {
+        keyCode: 13,
+      })
+    );
+
+    // key: Enter
+    input.dispatchEvent(
+      new KeyboardEvent("keydown", {
+        key: "Enter",
+      })
+    );
+    input.dispatchEvent(
+      new KeyboardEvent("keyup", {
+        key: "Enter",
+      })
+    );
+
+    // keyCode: Space
+    input.dispatchEvent(
+      new KeyboardEvent("keydown", {
+        keyCode: 32,
+      })
+    );
+    input.dispatchEvent(
+      new KeyboardEvent("keyup", {
+        keyCode: 32,
+      })
+    );
+
+    // key: Space
+    input.dispatchEvent(
+      new KeyboardEvent("keydown", {
+        key: " ",
+      })
+    );
+    input.dispatchEvent(
+      new KeyboardEvent("keyup", {
+        key: " ",
+      })
+    );
+  }, `Dipatching untrusted keyup/keydown event to input ${inputType} should not cause form submission or click event`);
+}
+</script>
+</body>
+</html>