On 03/28/2013 12:34 PM, Hallvord Reiar Michaelsen Steen wrote:
On 03/28/2013 10:36 AM, Hallvord Reiar Michaelsen Steen wrote:
In particular, WebKit has been stripping script element from
the pasted content but this may have some side effects on CSS
rules.]
AFAIK (without re-testing right now), WebKit's implementation
is: * rich text content that is pasted into a page without JS
handling it is sanitized (SCRIPT, javascript: links etc removed)
* a paste event listener that calls getData('text/html') will get
the full, pre-sanitized source
If that's correct I can add a short description of this to the
spec, in the informative section.
Why would this be informative?
Mainly because it seems like spec'ing it is a bit out of scope for
this spec - I'm trying to spec how clipboard events should work as
seen from the JS side. Implementation details like how data is pasted
when there is no JS or event handling involved don't seem to belong
here, and IMO the interop issues are far-fetched (though the XSS
risks aren't).
I don't see why the interop issues are particularly far-fetched. The
approach of not problems in spec A because they "ought" to be addressed
some other hypothetical spec B is something we have tried before and it
hasn't worked well yet, so I don't think we should do it again here. As
the python doctrine goes, "practicality beats purity".
