> The current clipboard API specification mentions security risks
> of copy & paste but doesn't seem to explicitly mention methods by
> which user agents deal with such security risks.
Hi Ryosuke,
I did remove the section on cleaning up content because it was not implemented
by anyone and seemed unlikely to be - but there is some advice in section 8.1
("Security risks"). It mentions "The user might paste malicious JavaScript into
a trusted page." among the risks and suggests (in the table) that the UA may
sanitize content that comes from a different origin. I assume you want some
more details added here, right?
> In particular, WebKit has been stripping script element from the
> pasted content but this may have some side effects on CSS rules.]
AFAIK (without re-testing right now), WebKit's implementation is:
* rich text content that is pasted into a page without JS handling it is
sanitized (SCRIPT, javascript: links etc removed)
* a paste event listener that calls getData('text/html') will get the full,
pre-sanitized source
If that's correct I can add a short description of this to the spec, in the
informative section.
--
Hallvord R. M. Steen
Core tester, Opera Software
