---
title: "Fix Inputs That Block Pasting"
description: "Stop preventing users from pasting into input fields. Blocking paste breaks password managers and frustrates users without improving security."
canonical_url: "https://unlighthouse.dev/learn-lighthouse/best-practices/paste-preventing-inputs"
last_updated: "2025-01-18"
---

Preventing paste in form fields is security theater that actively harms your users. It blocks password managers, forces manual typing of complex passwords, and makes forms slower for everyone - while providing zero actual security benefit.

## What's Happening

Some input fields have JavaScript that intercepts the `paste` event and cancels it, or CSS that disables clipboard functionality. This typically appears on:

- Password confirmation fields ("retype your password")
- Email confirmation fields
- Credit card number inputs
- Verification code fields

The intent is usually to force users to "prove" they typed correctly. In practice, it:

1. Breaks password managers (the primary tool for using strong, unique passwords)
2. Forces users to manually type long, random passwords - leading to errors and frustration
3. Encourages simpler passwords that are easier to type
4. Fails to catch typos anyway (users mistype the same way twice)

## Diagnose

### DevTools

1. Right-click the problematic input > Inspect
2. In Elements panel, look for `onpaste` attribute in HTML
3. Check Event Listeners panel for `paste` listeners
4. Look for CSS `user-select: none` or `-webkit-user-select: none`

### Quick Console Check

```js
document.querySelectorAll('input, textarea').forEach((el) => {
  const events = getEventListeners(el)
  if (events.paste) {
    console.warn('Paste blocked on:', el, events.paste)
  }
})
```

### Lighthouse Details

The audit "Prevents users from pasting into input fields" lists each offending element with its DOM location and input type.

## Fix

### 1. Remove Paste Prevention

Find and delete the code blocking paste:

**Before (bad):**

```html
<!-- HTML attribute -->
<input type="password" onpaste="return false">

<!-- Inline handler -->
<input type="email" onpaste="event.preventDefault()">
```

**After (good):**

```html
<input type="password">
<input type="email">
```

**JavaScript event listener:**

```js
// Bad: Blocking paste
passwordInput.addEventListener('paste', e => e.preventDefault())

// Good: Remove the listener entirely, or just delete this code
```

### 2. Remove Confirmation Fields Entirely

The "retype your email" pattern doesn't catch errors anyway. Users who mistype their email will mistype it the same way twice.

**Before:**

```html
<input type="email" name="email" placeholder="Email">
<input type="email" name="email_confirm" placeholder="Confirm email" onpaste="return false">
```

**After:**

```html
<input type="email" name="email" placeholder="Email">
```

Add email verification by sending a confirmation link. That's actual validation.

### 3. If You Must Have Confirmation, Allow Paste

If product requirements demand confirmation fields, at least let users paste:

```html
<label>
  Password
  <input type="password" name="password" autocomplete="new-password">
</label>
<label>
  Confirm Password
  <input type="password" name="password_confirm" autocomplete="new-password">
</label>
```

Both fields allow paste. Password managers fill both. Users with manual passwords can paste into both. Validation happens on submit:

```js
form.addEventListener('submit', (e) => {
  const password = form.password.value
  const confirm = form.password_confirm.value

  if (password !== confirm) {
    e.preventDefault()
    showError('Passwords do not match')
  }
})
```

### 4. Fix CSS-Based Blocking

Some implementations use CSS to prevent text selection and pasting:

**Before (bad):**

```css
.secure-input {
  user-select: none;
  -webkit-user-select: none;
}
```

**After (good):**

```css
/* Just remove these properties */
.secure-input {
  /* Let users interact normally */
}
```

### 5. Handle Third-Party Form Libraries

Some form libraries or payment processors add paste prevention. Check their configuration:

```js
// Example: Some validation libraries
const form = new FormValidator({
  preventPaste: false, // Disable this
  // ...
})
```

For embedded payment forms (Stripe, etc.), check their documentation for paste-related settings.

## Verify the Fix

1. Reload the page
2. Click into the previously blocked input
3. Paste text (`Cmd/Ctrl+V`)
4. Text should appear

Test with a password manager:

1. Use the password manager to fill the form
2. All fields should populate correctly

Run Lighthouse - the "Prevents users from pasting into input fields" audit should pass.

## Common Mistakes

- **Blocking paste only on confirmation field** - Both fields should allow paste. Password managers need to fill both.
- **Using readonly instead** - `readonly` prevents all input. That's not the same as a functional field that accepts paste.
- **Replacing with custom paste handling** - Some devs try to "sanitize" pasted content. Unless you're stripping specific characters (like spaces from phone numbers), allow normal paste.
- **Mobile keyboard considerations** - Some mobile keyboards have paste functionality that doesn't trigger the standard `paste` event. Blocking paste may work inconsistently anyway.

## The Security Argument

The argument for blocking paste is usually "users should verify what they're typing." Here's why that's backwards:

1. **Password managers generate unique, random passwords** - Blocking paste means users can't use them, leading to weaker passwords.
2. **Mistyped passwords get mistyped consistently** - If someone mistypes their email as `john@gmial.com`, they'll type it wrong both times.
3. **Actual security happens server-side** - Rate limiting, account verification, and proper authentication matter. Paste prevention doesn't.

NCSC (UK National Cyber Security Centre) explicitly recommends against blocking paste in their password guidance.

## Test Your Entire Site

Paste prevention often appears on specific pages: signup, checkout, account settings. [Unlighthouse](/) scans your entire site and flags every input with paste prevention, across all forms.
