On Fri, 10 Feb 2012 01:24:05 +0100, Ian Hickson <[email protected]> wrote:
We're going out of our way to do lots of special processing for HTML in
a paste. Why doesn't a drop of HTML get the same treatment?
This is a good question.
Presumably the scenario is that hostile page A provides some content and
gets the user to select and copy or drag it to page B's contentEditable
region, including any script in the selection, which once pasted becomes
a cross-site scripting vulnerability.
That might be one threat model, but it's one that UAs are already
handling. Most UAs remove or plan to remove SCRIPT tags from pasted HTML
data.
I've mentioned this in the drag-and-drop spec.
Goo idea.
Now, I don't think that was the question Daniel Cheng was asking. If you
look at the HTML/XHTML specific instructions for the paste event (in the
processing model section:
http://dev.w3.org/2006/webapi/clipops/#processing-model ) you'll see that
it specifies quite a bit of parsing and such. The goals are:
* Resolve URLs and links - the page script won't know the base URI to
resolve against (on Windows this is in the CF_HTML format's meta data and
the page script doesn't get access to it)
* Make it possible to paste HTML from a local application that embeds
local resources (<img src="file://..">) and enable page scripts to process
and upload said resources
* Optionally do extra privacy or security-related filtering if the UA
implementor considers it useful
So, I think the question Daniel is asking, is: why don't we process URLs
and local resources this way if HTML data is drag-and-dropped to a page?
Should this processing be moved to the DnD spec?
Finally, regarding the topic this E-mail's subject is dealing with, I've
spec'ed this: implementation should use clipboard content sequence number
on platforms where this is available, creativity elsewhere, to make sure
script can only access one single clipboard entry. I've also added a test
for this.
--
Hallvord R. M. Steen, Core Tester, Opera Software
http://www.opera.com http://my.opera.com/hallvors/
