On Wed, 18 May 2011, Daniel Cheng wrote: > On Wed, May 18, 2011 at 16:54, Hallvord R. M. Steen <[email protected]>wrote: > > > > Not 100% sure what you mean by "concerns" - do you mean for example if > > I drag a selection that embeds local images from my local word > > processing application to an online editor? I don't know how/if DnD > > handles this use case. CCing Ian. > > We're going out of our way to do lots of special processing for HTML in > a paste. Why doesn't a drop of HTML get the same treatment?
Presumably the scenario is that hostile page A provides some content and gets the user to select and copy or drag it to page B's contentEditable region, including any script in the selection, which once pasted becomes a cross-site scripting vulnerability. As far as I see it, the right way to solve this is for dragging, copying, dropping, and pasting of HTML to filter the DOM using a whitelist. It's not clear to me that this needs to be done in an interoperable way. I've mentioned this in the drag-and-drop spec. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
