Allow pasting into form inputs
Users should be able to paste content into form fields to improve usability and reduce errors.
- Do not block the 'paste' event on any form input
- Ensure password fields and credit card inputs allow pasting from managers
- Remove `onpaste="return false"` from all input elements
Rule Details
Preventing a user from pasting into an input field is a common but harmful practice. WCAG's accessible authentication requirement (opens in new tab) and the MDN paste event reference (opens in new tab) both make it clear that blocking paste interferes with assistive workflows and password-manager use.
Code Example
<!-- Incorrect: Prevents pasting -->
<input type="password" onpaste="return false;" placeholder="Confirm Password">
<!-- Correct: Default behavior allows pasting -->
<label for="confirm-password">Confirm Password</label>
<input type="password" id="confirm-password" name="confirm-password">
<!-- Incorrect JavaScript -->
<script>
document.querySelector('#email').addEventListener('paste', (e) => {
e.preventDefault(); // Don't do this
});
</script>Why It Matters
- Security: Preventing pasting in password fields discourages the use of long, complex, unique passwords generated by password managers.
- Accessibility: Users with limited motor control may find it difficult to type long strings accurately and rely on copying and pasting.
- Reduced Errors: Pasting reduces the risk of typos in critical fields like IBANs, email addresses, and long tracking numbers.
- User Satisfaction: Frustrated users are more likely to abandon a process if they are forced to re-type information they already have elsewhere.
Exceptions
- Evaluate the rendered experience before treating a static-code smell as a blocker; interaction timing, browser behavior, and assistive technology output often determine severity.
- Not every secondary accessibility issue deserves equal weight; prioritize the issue that most directly blocks perception, operation, or understanding.
- Avoid adding redundant markup or ARIA solely to satisfy a rule when a simpler semantic implementation would eliminate the issue entirely.
Verification
Automated Checks
- Inspect the browser accessibility tree or accessibility pane for the relevant element, role, or accessible name.
- Run an automated accessibility checker such as axe or Lighthouse where applicable.
Manual Checks
- Test the affected UI with keyboard-only navigation and confirm the rule holds in the rendered experience.
- Re-test one representative user flow with a screen reader if this rule affects a key interaction.
Use with AI
Copy these prompts to use with your AI assistant, or install the MCP server to use directly from Claude, Cursor, or Windsurf.
Check
Verify implementation
Check the codebase for any JavaScript or HTML attributes that prevent users from pasting into form fields.
Fix
Auto-fix issues
Remove any code (e.g., `onpaste="return false"`) that blocks the default paste behavior in inputs.
Explain
Learn more
Explain how allowing pasting into forms improves security and accessibility for users with physical or cognitive disabilities.
Review
Code review
Review the rendered markup and interactive states that affect Allow pasting into form inputs. Flag exact elements, roles, labels, focus behavior, or keyboard interactions that violate the rule, and note how to verify the fix with browser accessibility tooling or assistive tech.