On 03/28/2013 10:36 AM, Hallvord Reiar Michaelsen Steen wrote:
> >> In particular, WebKit has been stripping script element from the
> >> pasted content but this may have some side effects on CSS rules.]
> > AFAIK (without re-testing right now), WebKit's implementation is:
> > * rich text content that is pasted into a page without JS handling it is
> > sanitized (SCRIPT, javascript: links etc removed)
> > * a paste event listener that calls getData('text/html') will get the full,
> > pre-sanitized source
> >
> >
> > If that's correct I can add a short description of this to the spec, in the
> > informative section.
>
> Why would this be informative?
Mainly because it seems like spec'ing it is a bit out of scope for this spec -
I'm trying to spec how clipboard events should work as seen from the JS side.
Implementation details like how data is pasted when there is no JS or event
handling involved don't seem to belong here, and IMO the interop issues are
far-fetched (though the XSS risks aren't).
Now, if there is interest in implementing this among other vendors, and general
agreement that we should have this in the clipboard events spec, I'm happy to
say something about this in normative prose. In other words, I'll just play
this ball right over to the Mozilla and Microsoft representatives: do you
currently implement, or do you plan to implement what WebKit does here?
> It seems quite possible to construct
> interop problems stemming from different implementations here e.g. a
> site that assumes that there will never be <script> elements in pasted
> text, or a site that assumes it can get scripts in the result of
> getData("text/html"). Therefore the exact behaviour of the platform in
> this respect needs to be normatively defined.
The latter aspect should be normatively defined already, in so far the
normative getData('text/html') stuff doesn't spec any sanitization. So I think
the interop is taken care of. As an anti-XSS measure, how to handle pasting of
potentially risky content might be covered for example in specs for rich text
editing.
--
Hallvord R. M. Steen
Core tester, Opera Software
