Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
focus-trap
Advanced tools
The focus-trap npm package is designed to trap focus within a specified DOM element. This is particularly useful for accessibility in modal dialogs, ensuring that keyboard users do not accidentally move focus outside of the dialog, thereby improving the user experience and accessibility compliance.
Create and activate a focus trap
This code demonstrates how to create and activate a focus trap within a specified DOM element, typically a modal dialog. It ensures that all keyboard navigation remains within the 'modal' element.
const { createFocusTrap } = require('focus-trap');
const container = document.getElementById('modal');
const focusTrap = createFocusTrap(container);
focusTrap.activate();
Deactivate a focus trap
This code snippet shows how to deactivate a previously activated focus trap, allowing focus to move freely outside the trapped container once again.
focusTrap.deactivate();
Set return focus on deactivation
This feature allows setting a specific element to receive focus when the focus trap is deactivated. It enhances usability by returning focus to a logical location, such as a button that initially triggered the modal.
const focusTrap = createFocusTrap(container, {
onDeactivate: () => document.getElementById('triggerButton').focus()
});
focus-lock is similar to focus-trap in that it also provides functionality to trap focus within a DOM element. However, focus-lock offers additional features such as auto-focusing the first focusable element and integration with React components.
react-focus-lock is a React-specific implementation of focus trapping. It provides similar functionalities to focus-trap but is tailored specifically for use within React applications, making it easier to integrate with React component lifecycle.
Trap focus within a DOM node.
There may come a time when you find it important to trap focus within a DOM node — so that when a user hits Tab
or Shift+Tab
or clicks around, she can't escape a certain cycle of focusable elements.
You will definitely face this challenge when you are trying to build accessible modals.
This module is a little, modular vanilla JS solution to that problem.
Use it in your higher-level components. For example, if you are using React check out focus-trap-react, a light wrapper around this library. If you are not a React user, consider creating light wrappers in your framework-of-choice.
When a focus trap is activated, this is what should happen:
Tab
and Shift+Tab
keys will cycle through the focus trap's tabbable elements but will not leave the focus trap.Escape
key will deactivate the focus trap.When the focus trap is deactivated, this is what should happen:
For more advanced usage (e.g. focus traps within focus traps), you can also pause a focus trap's behavior without deactivating it entirely, then unpause at will.
npm install focus-trap
You can also use a UMD version published to unpkg.com
as dist/focus-trap.umd.js
and dist/focus-trap.umd.min.js
.
NOTE: The UMD build does not bundle the
tabbable
dependency. Therefore you will have to also include that one, and include it beforefocus-trap
.
<head>
<script src="https://unpkg.com/tabbable/dist/index.umd.js"></script>
<script src="https://unpkg.com/focus-trap/dist/focus-trap.umd.js"></script>
</head>
As old and as broad as reasonably possible, excluding browsers that are out of support or have nearly no user base.
Focused on desktop browsers, particularly Chrome, Edge, FireFox, Safari, and Opera.
Focus-trap is not officially tested on any mobile browsers or devices.
❗️ Safari: By default, Safari does not tab through all elements on a page, which alters the normal DOM-based tab order expected by focus-trap. If you use or support Safari with this library, make sure you and your users know they must enable the
Preferences > Advanced > Press Tab to highlight each item on a webpage
feature. Otherwise, your traps will not work the way you expect them to.
⚠️ Microsoft no longer supports any version of IE, so IE is no longer supported by this library.
💬 Focus-trap relies on tabbable so its browser support is at least what tabbable supports.
💬 Keep in mind that performance optimization and old browser support are often at odds, so tabbable may not always be able to use the most optimal (typically modern) APIs in all cases.
import * as focusTrap from 'focus-trap'; // ESM
const focusTrap = require('focus-trap'); // CJS
// UMD: `focusTrap` is defined as a global on `window`
trap = focusTrap.createFocusTrap(element[, createOptions]);
Returns a new focus trap on element
(one or more "containers" of tabbable nodes that, together, form the total set of nodes that can be visited, with clicks or the tab key, within the trap).
element
can be:
document.querySelector()
to find the DOM node); orA focus trap must have at least one container with at least one tabbable/focusable node in it to be considered valid. While nodes can be added/removed at runtime, with the trap adjusting to added/removed tabbable nodes, an error will be thrown if the trap ever gets into a state where it determines none of its containers have any tabbable nodes in them and the
fallbackFocus
option does not resolve to an alternate node where focus can go.
{() => void}
: A function that will be called before sending focus to the target element upon activation.{() => void}
: A function that will be called after sending focus to the target element upon activation.{() => void}
: A function that will be called immediately after the trap's state is updated to be paused.{() => void}
: A function that will be called after the trap has been completely paused and is no longer managing/trapping focus.{() => void}
: A function that will be called immediately after the trap's state is updated to be active again, but prior to updating its knowledge of what nodes are tabbable within its containers, and prior to actively managing/trapping focus.{() => void}
: A function that will be called after the trap has been completely unpaused and is once again managing/trapping focus.{(containers: Array<HTMLElement | SVGElement>) => Promise<void>}
: Animated dialogs have a small delay between when onActivate
is called and when the focus trap is focusable. checkCanFocusTrap
expects a promise to be returned. When that promise settles (resolves or rejects), focus will be sent to the first tabbable node (in tab order) in the focus trap (or the node configured in the initialFocus
option).{() => void}
: A function that will be called before returning focus to the node that had focus prior to activation (or configured with the setReturnFocus
option) upon deactivation.{() => void}
: A function that will be called after the trap is deactivated, after onDeactivate
. If the returnFocus
deactivation option was set, it will be called after returning focus to the node that had focus prior to activation (or configured with the setReturnFocus
option) upon deactivation; otherwise, it will be called after deactivation completes.{(trigger: HTMLElement | SVGElement) => Promise<void>}
: An animated trigger button will have a small delay between when onDeactivate
is called and when the focus is able to be sent back to the trigger. checkCanReturnFocus
expects a promise to be returned. When that promise settles (resolves or rejects), focus will be sent to to the node that had focus prior to the activation of the trap (or the node configured in the setReturnFocus
option).{HTMLElement | SVGElement | string | false | undefined | (() => HTMLElement | SVGElement | string | false | undefined)}
: By default (when undefined
or the function returns undefined
), when a focus trap is activated, the active element will receive focus if it's in the trap, otherwise, the first element in the focus trap's tab order will receive focus. With this option you can specify a different element to receive that initial focus. Can be a DOM node, or a selector string (which will be passed to document.querySelector()
to find the DOM node), or a function that returns any of these. You can also set this option to false
(or to a function that returns false
) to prevent any initial focus at all when the trap activates.
false
(or a function that returns false
) will prevent the fallbackFocus
option from being used.fallbackFocus
node option. If that option also fails to yield a node, an exception will be thrown.undefined
(i.e. not set or function returns undefined
), the default behavior will be used.{HTMLElement | SVGElement | string | () => HTMLElement | SVGElement | string}
: By default, an error will be thrown if the focus trap contains no elements in its tab order. With this option you can specify a fallback element to programmatically receive focus if no other tabbable elements are found. For example, you may want a popover's <div>
to receive focus if the popover's content includes no tabbable elements. Make sure the fallback element has a negative tabindex
so it can be programmatically focused. The option value can be a DOM node, a selector string (which will be passed to document.querySelector()
to find the DOM node), or a function that returns any of these.
initialFocus
is false
(or a function that returns false
), this function will not be called when the trap is activated, and no element will be initially focused. This function may still be called while the trap is active if things change such that there are no longer any tabbable nodes in the trap.{boolean} | (e: KeyboardEvent) => boolean)
: Default: true
. If false
or returns false
, the Escape
key will not trigger deactivation of the focus trap. This can be useful if you want to force the user to make a decision instead of allowing an easy way out. Note that if a function is given, it's only called if the ESC key was pressed.{boolean | (e: MouseEvent | TouchEvent) => boolean}
: If true
or returns true
, a click outside the focus trap will immediately deactivate the focus trap and allow the click event to do its thing (i.e. to pass-through to the element that was clicked). This option takes precedence over allowOutsideClick
when it's set to true
. Default: false
.
mousedown
(or touchstart
on mobile) event and, if true
was returned, again on the click
event. It will get the same node each time, and it's recommended that the returned value is also the same each time. Be sure to check the event type if the double call is an issue in your code.allowOutsideClick
option to better control exactly when the focus trap can be deactivated. The clickable icons are usually positioned absolutely, floating on top of the fields, and therefore not part of the container the trap is managing. When using the clickOutsideDeactivates
option, clicking on a field's 1Password icon will likely cause the trap to be unintentionally deactivated.{boolean | (e: MouseEvent | TouchEvent) => boolean}
: If set and is or returns true
, a click outside the focus trap will not be prevented (letting focus temporarily escape the trap, without deactivating it), even if clickOutsideDeactivates=false
. Default: false
.
mousedown
(or touchstart
on mobile), and then on the actual click
if the function returned true
on the first event. Be sure to check the event type if the double call is an issue in your code.clickOutsideDeactivates=true
, this option is ignored (i.e. if it's a function, it will not be called).clickOutsideDeactivates=false
.{boolean}
: Default: true
. If false
, when the trap is deactivated, focus will not return to the element that had focus before activation.
clickOutsideDeactivates=true
:
returnFocusOnDeactivate=true
and the outside click causing deactivation is on a focusable element, focus will not return to that element; instead, it will return to the node focused just before activation.returnFocusOnDeactivate=false
and the outside click is on a focusable node, focus will remain on that node instead of the node focused just before activation. If the outside click is on a non-focusable node, then "nothing" will have focus post-deactivation.{HTMLElement | SVGElement | string | (previousActiveElement: HTMLElement | SVGElement) => HTMLElement | SVGElement | string | false}
: By default, on deactivation, if returnFocusOnDeactivate=true
(or if returnFocus=true
in the deactivation options), focus will be returned to the element that was focused just before activation. With this option, you can specify another element to programmatically receive focus after deactivation. It can be a DOM node, a selector string (which will be passed to document.querySelector()
to find the DOM node upon deactivation), or a function that returns any of these to call upon deactivation (i.e. the selector and function options are only executed at the time the trap is deactivated). Can also be false
(or return false
) to leave focus where it is at the time of deactivation.
{boolean}
: By default, focus() will scroll to the element if not in viewport. It can produce unintended effects like scrolling back to the top of a modal. If set to true
, no scroll will happen.{boolean}
: Default: true
. Delays the autofocus to the next execution frame when the focus trap is activated. This prevents elements within the focusable element from capturing the event that triggered the focus trap activation.window.document
. Document where the focus trap will be active. This enables the use of FocusTrap inside an iFrame.
{Array<FocusTrap>}
: Define the global trap stack. This makes it possible to share the same stack in multiple instances of focus-trap
in the same page such that auto-activation/pausing of traps is properly coordinated among all instances as activating a trap when another is already active should result in the other being auto-paused. By default, each instance will have its own internal stack, leading to conflicts if they each try to trap the focus at the same time.{(event: KeyboardEvent) => boolean}
: (optional) Determines if the given keyboard event is a "tab forward" event that will move the focus to the next trapped element in tab order. Defaults to the TAB
key. Use this to override the trap's behavior if you want to use arrow keys to control keyboard navigation within the trap, for example. Also see isKeyBackward()
option.
TAB
key as the browser will continue to respond to it by moving focus forward because that's what using the TAB
key does in a browser, but it will no longer respect the trap's container edges as it normally would. You will need to add your own keydown
handler to call preventDefault()
on a TAB
key event if you want to completely suppress the use of the TAB
key.{(event: KeyboardEvent) => boolean}
: (optional) Determines if the given keyboard event is a "tab backward" event that will move the focus to the previous trapped element in tab order. Defaults to the SHIFT+TAB
key. Use this to override the trap's behavior if you want to use arrow keys to control keyboard navigation within the trap, for example. Also see isKeyForward()
option.
SHIFT+TAB
key as the browser will continue to respond to it by moving focus backward because that's what using the SHIFT+TAB
key sequence does in a browser, but it will no longer respect the trap's container edges as it normally would. You will need to add your own keydown
handler to call preventDefault()
on a TAB
key event if you want to completely suppress the use of the SHIFT+TAB
key sequence.⚠️ Beware that putting a focus-trap inside an open Shadow DOM means you must not use selector strings for options that support these (because nodes inside Shadow DOMs, even open shadows, are not visible via document.querySelector()
).
If you have closed shadow roots that you would like considered for tabbable/focusable nodes, use the tabbableOptions.getShadowRoot
option to provide Tabbable (used internally) with a reference to a given node's shadow root so that it can be searched for candidates.
⚠️ Using positive tab indexes (i.e. <button tabindex="1">Label</button>
) is not recommended, primarily for accessibility reasons. Supporting them properly also means a lot of hoops to jump through when Shadow DOM is used as some key DOM APIs like Node.compareDocumentPosition() do not properly support Shadow DOM.
As such, focus-trap considers using positive tabindexes an edge case and only supports them in single-container traps with some caveats for related edge case behavior (see the demo for more details).
If you try to create a multi-container trap where at least one container has one node with a positive tabindex, an exception will be thrown:
At least one node with a positive tabindex was found in one of your focus-trap's multiple containers. Positive tabindexes are only supported in single-container focus-traps.
trap.active: boolean
True if the trap is currently active.
trap.paused: boolean
True if the trap is currently paused.
trap.activate([activateOptions]) => FocusTrap
Activates the focus trap, adding various event listeners to the document.
If focus is already within it the trap, it remains unaffected. Otherwise, focus-trap will try to focus the following nodes, in order:
createOptions.initialFocus
createOptions.fallbackFocus
If none of the above exist, an error will be thrown. You cannot have a focus trap that lacks focus.
Returns the trap
.
activateOptions
:
These options are used to override the focus trap's default behavior for this particular activation.
{() => void}
: Default: whatever you chose for createOptions.onActivate
. null
or false
are the equivalent of a noop
.{() => void}
: Default: whatever you chose for createOptions.onPostActivate
. null
or false
are the equivalent of a noop
.{(containers: Array<HTMLElement | SVGElement>) => Promise<void>}
: Default: whatever you chose for createOptions.checkCanFocusTrap
.trap.deactivate([deactivateOptions]) => FocusTrap
Deactivates the focus trap.
Returns the trap
.
deactivateOptions
:
These options are used to override the focus trap's default behavior for this particular deactivation.
{boolean}
: Default: whatever you set for createOptions.returnFocusOnDeactivate
. If true
, then the setReturnFocus
option (specified when the trap was created) is used to determine where focus will be returned.{() => void}
: Default: whatever you set for createOptions.onDeactivate
. null
or false
are the equivalent of a noop
.{() => void}
: Default: whatever you set for createOptions.onPostDeactivate
. null
or false
are the equivalent of a noop
.{(trigger: HTMLElement | SVGElement) => Promise<void>}
: Default: whatever you set for createOptions.checkCanReturnFocus
. Not called if the returnFocus
option is falsy. trigger
is either the originally focused node prior to activation, or the result of the setReturnFocus
configuration option.trap.pause([pauseOptions]) => FocusTrap
Pause an active focus trap's event listening without deactivating the trap.
If the focus trap has not been activated, nothing happens.
Returns the trap
.
Any onDeactivate
callback will not be called, and focus will not return to the element that was focused before the trap's activation. But the trap's behavior will be paused.
This is useful in various cases, one of which is when you want one focus trap within another. demo-six
exemplifies how you can implement this.
pauseOptions
:
These options are used to override the focus trap's default behavior for this particular pausing.
{() => void}
: Default: whatever you chose for createOptions.onPause
. null
or false
are the equivalent of a noop
.{() => void}
: Default: whatever you chose for createOptions.onPostPause
. null
or false
are the equivalent of a noop
.trap.unpause([unpauseOptions]) => FocusTrap
Unpause an active focus trap. (See pause()
, above.)
Focus is forced into the trap just as described for focusTrap.activate()
.
If the focus trap has not been activated or has not been paused, nothing happens.
Returns the trap
.
unpauseOptions
:
These options are used to override the focus trap's default behavior for this particular unpausing.
{() => void}
: Default: whatever you chose for createOptions.onUnpause
. null
or false
are the equivalent of a noop
.{() => void}
: Default: whatever you chose for createOptions.onPostUnpause
. null
or false
are the equivalent of a noop
.trap.updateContainerElements(HTMLElement | SVGElement | string | Array<HTMLElement | SVGElement | string>) => FocusTrap
Update the element(s) that are used as containers for the focus trap.
When you call createFocusTrap()
, you give it an element (or selector), or an array of elements (or selectors) to keep the focus within. This method simply allows you to update which elements to keep the focus within even while the trap is active.
A use case for this is found in focus-trap-react, where React ref
's may not be initialized yet, but when they are you want to have them be a container element.
Returns the trap
.
Read code in docs/
and see how it works.
Here's generally what happens in default.js
(the "default behavior" demo):
const { createFocusTrap } = require('../../index');
const container = document.getElementById('default');
const focusTrap = createFocusTrap('#default', {
onActivate: () => container.classList.add('is-active'),
onDeactivate: () => container.classList.remove('is-active'),
});
document
.getElementById('activate-default')
.addEventListener('click', focusTrap.activate);
document
.getElementById('deactivate-default')
.addEventListener('click', focusTrap.deactivate);
Only one focus trap can be listening at a time. If a second focus trap is activated the first will automatically pause. The first trap is unpaused and again traps focus when the second is deactivated.
Focus trap manages a queue of traps: if A activates; then B activates, pausing A; then C activates, pausing B; when C then deactivates, B is unpaused; and when B then deactivates, A is unpaused.
The focus trap will work best if the first and last focusable elements in your trap are simple elements that all browsers treat the same, like buttons and inputs.**
Tabbing will work as expected with trickier, less predictable elements — like iframes, shadow trees, audio and video elements, etc. — as long as they are between more predictable elements (that is, if they are not the first or last tabbable element in the trap).
This limitation is ultimately rooted in browser inconsistencies and inadequacies, but it comes to focus-trap through its dependency Tabbable. You can read about more details in the Tabbable documentation.
You can't have a focus trap without focus, so an error will be thrown if you try to initialize focus-trap with an element that contains no tabbable nodes.
If you find yourself in this situation, you should give you container tabindex="-1"
and set it as initialFocus
or fallbackFocus
. A couple of demos illustrate this.
Because of the nature of the functionality, involving keyboard and click and (especially) focus events, JavaScript unit tests don't make sense. After all, JSDom does not fully support focus events. Since the demo was developed to also be the test, we use Cypress to automate running through all demos in the demo page.
⚠️ JSDom is not officially supported. Your mileage may vary, and tests may break from one release to the next (even a patch or minor release).
This topic is just here to help with what we know may affect your tests.
In general, a focus trap is best tested in a full browser environment such as Cypress, Playwright, or Nightwatch where a full DOM is available.
Sometimes, that's not entirely desirable, and depending on what you're testing, you may be able to get away with using JSDom (e.g. via Jest), but you'll have to configure your traps using the tabbableOptions.displayCheck: 'none'
option.
See Testing tabbable in JSDom for more details.
This error happens when the containers you specified when you setup your focus trap do not have -- or no longer have -- any tabbable elements in them, which means that focus will inevitably escape your trap because focus must always go somewhere.
You will hit this error if your trap does not have (or no longer has) any tabbable (and therefore focusable) elements in it, and it was not configured with a backup element (see the fallbackFocus
option -- which must still be in the trap, but does not necessarily have to be tabbable, i.e. it could have tabindex="-1"
, making it focusable, but not tabbable).
This often happens when traps are related to elements that appear and disappear dynamically. Typically, the error will fire either as the element is being shown (because the trap gets created before the trapped children have been inserted into the DOM), or as it's being hidden (because the trapped children are destroyed before the trap is either destroyed or disabled).
If you create a trap and try to use the TAB key to set focus to the first element in your trap, the first element seems unreachable because focus keeps skipping over it for some reason.
This can happen in projects where the Angular-related zone.js module is being used because Zone can interfere with Focus-trap's ability to control where focus goes when it leaves an edge node (that is, a node that is on the edge of a container in which it is trapping focus).
What is actually happening is that Focus-trap is correctly wrapping focus around to that first element (or last element, if going in reverse with SHIFT+TAB, and you're seeing that get skipped) and setting focus to it, but because of Zone's interference (in which Focus-trap's call to preventDefault()
on the focus event triggered by the TAB key press is rendered ineffective), once Focus-trap is done handling the event, the browser hasn't received the signal that its default behavior should be prevented, and so it proceeds to move focus to the next element -- effectively "skipping" over the element to which Focus-trap set focus, making it seem "unreachable".
Unfortunately, there's no good workaround to this issue from Focus-trap's perspective. The issue was reported to Angular (not by Focus-trap) and has a PR (also not by Focus-trap) for a fix.
This was originally investigated in #1165 if you want to go deeper.
See CONTRIBUTING.
In alphabetical order:
FAQs
Trap focus within a DOM node.
The npm package focus-trap receives a total of 1,675,416 weekly downloads. As such, focus-trap popularity was classified as popular.
We found that focus-trap demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.