Forums Bug Reports Thread

Inbox keyboard navigation intercepts j/k/arrows without guarding contenteditable or SELECT

Patrick Bass · Jun 6 · 12 · 1 Locked
[Minor] [Normal Priority] [Bug Fixed] [Always Reproduces]
Oldest Newest Top
Patrick Bass 🚀 OP Jun 6, 2026 5:50pm

Area: Messaging & chat (audit p4) · Surface: /messages (MessageController@inbox) · Dimension: Law 5 — mobile / keyboard robustness · Severity: minor

The inbox arrow/j/k row navigation swallows those keys for any focused element that is not an INPUT or TEXTAREA. Today the inbox has no contenteditable editor so the practical blast radius is small, but the guard is incomplete and brittle — any future contenteditable/SELECT control on the page would have j/k typing and Up/Down option-cycling hijacked. The standard guard is `isContentEditable`/SELECT inclusive.

Evidence

templates/messages/inbox.php:210 guards only `if (ev.target.tagName === 'INPUT' || ev.target.tagName === 'TEXTAREA') return;` then preventDefaults `j`/`k`/ArrowUp/ArrowDown globally (lines 211-213). It does not check `ev.target.isContentEditable` or `SELECT`.

Suggested fix. Broaden the guard: `if (ev.target.tagName === 'INPUT' || ev.target.tagName === 'TEXTAREA' || ev.target.tagName === 'SELECT' || ev.target.isContentEditable) return;`

Filed by the automated tenant-app audit and adversarially evidence-verified. Status: verified. Open — not yet actioned.

Patrick Bass
@mobieus

Patrick Bass 🚀 Jun 7, 2026 5:31am

Resolved — fixed and deployed. Commit af2b6678f082, shipped dev-first then to all tenants on 2026-06-06.

Broadened the keydown guard in the inbox keyboard-nav script (was line 210) so arrow/j/k/Enter shortcuts no longer fire while typing in SELECT or contenteditable elements, in addition to the existing INPUT/TEXTAREA check: now `ev.target.tagName === 'INPUT' || 'TEXTAREA' || 'SELECT' || ev.target.isContentEditable`.

Status: fixed. Thread closed and locked.

Patrick Bass
@mobieus

Related Discussions

[New] mobieusLearn: Essay/file-upload submissions are accepted but cannot be graded — no instructor grading inbox
Feature Requests · 1 replies · 17 views
[Enhancement] mobieusKnow: Long-form editor has no draft state or autosave — work is lost on accidental navigation
Feature Requests · 1 replies · 8 views
[New] Cross-cutting infra: Footer and site navigation links are entirely hard-coded — no admin-managed custom nav/footer links
Feature Requests · 0 replies · 12 views
toggleReaction and listComments operate on arbitrary/deleted item ids without existence checks
Bug Reports · 1 replies · 11 views
Open redirect: AdminAchievementController redirects to raw $_POST['return_to'] without the safe-path allowlist used by sibling controllers
Bug Reports · 1 replies · 12 views

Log in or register to reply to this thread.