Highlighted

Plugin API Bug: Bypassing the need for user interaction before editing a document.

New Here ,
Jul 20, 2020

Copy link to clipboard

Copied

Hello.

Normally, before editing a document through plugin API, a user must interact with the plugin in some way (e.g. clicking a button), but JavaScript allows us to fake a button "click" through the code using HTMLElement's click() function, which bypasses this need because that faked button "click" event is considered to have been made by the user. I assume this is not intended to work this way?

Here's the code of this little "exploit":

const div = document.createElement('div');
div.addEventListener('click', () => {
    // Now we can edit the document without any problems:
    // application.editDocument(...)

    div.remove();
});
document.body.appendChild(div);

// Wait for our <div> to be actually added to the DOM, otherwise
// the click event will not be fired.
setTimeout(() => {
    div.click();
});


Tested on the latest version (30.3.12.5).

Hi there,

 

Thanks for reaching out. We have a separate forum for plugins: https://forums.adobexdplatform.com/

 

I'd request posting your query there so that plugin experts can help you.

 

Regards

Rishabh

TOPICS
Plug-ins

Views

37

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

Plugin API Bug: Bypassing the need for user interaction before editing a document.

New Here ,
Jul 20, 2020

Copy link to clipboard

Copied

Hello.

Normally, before editing a document through plugin API, a user must interact with the plugin in some way (e.g. clicking a button), but JavaScript allows us to fake a button "click" through the code using HTMLElement's click() function, which bypasses this need because that faked button "click" event is considered to have been made by the user. I assume this is not intended to work this way?

Here's the code of this little "exploit":

const div = document.createElement('div');
div.addEventListener('click', () => {
    // Now we can edit the document without any problems:
    // application.editDocument(...)

    div.remove();
});
document.body.appendChild(div);

// Wait for our <div> to be actually added to the DOM, otherwise
// the click event will not be fired.
setTimeout(() => {
    div.click();
});


Tested on the latest version (30.3.12.5).

Hi there,

 

Thanks for reaching out. We have a separate forum for plugins: https://forums.adobexdplatform.com/

 

I'd request posting your query there so that plugin experts can help you.

 

Regards

Rishabh

TOPICS
Plug-ins

Views

38

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Jul 20, 2020 0
Adobe Employee ,
Jul 20, 2020

Copy link to clipboard

Copied

Hi there,

 

Thanks for reaching out. We have a separate forum for plugins: https://forums.adobexdplatform.com/

 

I'd request posting your query there so that plugin experts can help you.

 

Regards

Rishabh

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jul 20, 2020 1