Bypassing Copy-Paste Restrictions on Japanese Rental Car Websites
This mid-November, I am preparing for my next Japan ski trip and I decided to book a rental car through Nippon Rent-a-car. I usually book from Toyota or J-Net, so this is a first. Simple enough, right? Not quite.
Their English website seems to have limited vehicle availability compared to the Japanese counterpart. So I bit the bullet and registered a account in Japanese. With a bit of machine translation helping, the process was straightforward until I had to key-in my name in Japanese.
The website disables copy-paste functionality on specific form fields. One of them is the furigana name field, which is particularly frustrating because I obviously don’t have a Japanese keyboard. My usual workaround for those registration (for instance with J-Net) is to Google Translate my English name into kanji characters and paste them in. But this website? It wouldn’t let me paste anything.
What’s worse with this kind of approach is how easily this “security measure” can be bypassed with a bit of browser-console-fu.
Here’s quick workaround in case someone comes to face the same issue.
The Problem: Annoying Client-Side Restrictions
The website has implemented a disable-copy-paste class on multiple input fields, which triggered JavaScript logic to intercept and block paste events. This is a common (and often misguided) practice on some websites, particularly in the financial and automotive sectors, supposedly for “security” reasons.
In reality, it only inconveniences users. It doesn’t prevent anyone from entering data β it just makes the process unnecessarily tedious.
The Solution: Direct DOM Manipulation
The key insight is that blocking paste events doesn’t prevent you from setting form values directly through the browser’s Document Object Model (DOM). When you use Ctrl+V, the browser fires a paste event that the website’s JavaScript can intercept and block. But when you manipulate the DOM directly via the console, you bypass the event system entirely.
Field 1: Full Name in Furigana
The first problematic field was the furigana name input, identified by the ID fullNameFurigana:
<input
class="w216 ks-big-input disable-copy-paste error-field efo_invalid"
id="fullNameFurigana"
maxlength="20"
name="fullNameFurigana"
autocomplete="off"
type="text"
value=""
style=""
>
To bypass the restriction and inject your furigana text directly, open the Chrome Developer Tools console (F12 or right-click β Inspect β Console tab) and run:
document.getElementById('fullNameFurigana').value = "YOUR FURIGANA TEXT";
Replace "YOUR FURIGANA TEXT" with your actual furigana characters. The value is set immediately, completely circumventing the paste block.
Field 2: Password Confirmation
The second field was the password confirmation input, identified by the ID passwordConfirm. I use a password manager with unique, complex passwords, and didn’t feel like re-typing this by hand:
<input
class="w216 disable-copy-paste ks-big-input efo_invalid"
id="passwordConfirm"
maxlength="50"
name="confirmPassword"
type="password"
style=""
>
Similarly, inject your password directly:
document.getElementById('passwordConfirm').value = "YOUR PASSWORD HERE";
The Takeaway
Client-side copy-paste restrictions are a frustrating UX anti-pattern that don’t actually improve security. They only inconvenience users who are trying to do legitimate things. Fortunately, they’re trivial to bypass with basic knowledge of how browsers work.
If you encounter similar restrictions on other websites, the same technique applies: identify the input field’s ID or selector, open the console, and inject the value directly.
The next time a website tries to prevent you from pasting, remember: the browser is yours to command.