Regarding pasting from the clipboard: http://stackoverflow.com/questions/3896824/html5-read-the-clipboard/6667108 ----------- Perhaps the HTML5 Core spec doesn't provide an API for accessing the clipboard, but one of the APIs in the HTML5 family of APIs does. It's called 'Clipboard API and Events,' and it's currently (as of July 2011) a Working Draft. You can find the spec here:
http://www.w3.org/TR/clipboard-apis/ As for implementations, well, I couldn't find one just yet. ----------- No, there is no built-in API for accessing the clipboard. BUT you can use https://github.com/mojombo/clippy for accessing the clipboard. It's flash not Java, so it should be ok for you to use. The advantage is it works across all flash-capable browsers. ----------- Regarding sanitization: http://stackoverflow.com/questions/8190770/detect-a-paste-event-in-a-contenteditable ----------- You can listen for the onPaste event on the div to detect the paste. If you just want to disable the paste you can call event.preventDefault() from that listener. To capture the pasted content however is a little bit more difficult since the onPaste event does not give you access to the pasted content. The usual way to handle this is to do the following from the onPaste event handler: create a dummy div and place it outside the window boundaries so it's not visible to visitors move the focus to this div call a sanitizer method using a setTimeout(sanitize, 0) and from your sanitizing method: find the dummy div and get it's contents sanitize the HTML and remove the div move the focus back to the original div insert the sanitized content in the original div ----------- https://groups.google.com/d/msg/closure-library-discuss/cDQGNAoGH4o/7KAq5BzsYAoJ ----------- I've been trying to solve this exact problem of forbidding rich paste :-) In WebKit, I use contentEditable=plaintext-only In Firefox, I detect the paste, and then select a display:-moz-deck zero-width zero-height overflow-hidden div that's a child of the contentEditable, then I cancel the native paste, and then let the paste happen there. From there, the contents get extracted and plain text appears. In IE, I use: onpaste="document.selection.createRange().text=clipboardData.getData('Text')" In Firefox, though, you still have a self-XSS attack, where a user can be tricked into pasting something malicious. However, in Firefox, the scope of these XSS attacks is that images get loaded, leaking referers. IE also loads iframes if you let the native paste event happens -- using a DOM0 handler for onpaste seems to avoid this, while not popping a security warning. WebKit's plaintext-only is a saviour. -------------- -- Mike Stay - [email protected] http://www.cs.auckland.ac.nz/~mike http://reperiendi.wordpress.com
