> > In addition, from a security perspective, what stops a malicious website > from embedding something like <img src="file:///etc/passwd" > style="display:none"></img> in the markup? > > We disallow this on copy by stripping such references. >
Hi Ben, picking up this old thread.. So we need to add a "sanitize local references" step/algorithm somewhere when JS writes data to clipboard? It would be great if you could have a look at https://w3c.github.io/clipboard-apis/#dfn-writing-contents-to-the-clipboard and suggest some text - maybe even in the form of a GitHub pull request? :) (I assume you strip *all* local references, not just specific blacklisted stuff like /etc/passwd - this probably needs testing with various types of slashes etc..) Do you have any other safety measures when data is written to the clipboard? -Hallvord