Hallvord --

That behavior is really all I wanted, i.e. "don't let the browser
discard/ignore valid RTF clipboard data".

I would also echo Paul's thoughts: this sounds good but is there any
OS/browser-level sanitization process necessary?  I would be curious to
hear from Ben if Microsoft already has such things in place for IE.

    James Greene

On Mon, Apr 20, 2015 at 3:26 PM, Paul Libbrecht <p...@hoplahup.net> wrote:

> On 20/04/15 22:11, Hallvord Reiar Michaelsen Steen wrote:
> > Would it be a possible compromise to let a script describe data as
> > RTF, and then put said data on the clipboard with the OS's correct RTF
> > data type labelling? And vice versa, if the script asks for RTF give
> > it any RTF contents from the clipboard as raw (binary) data? Products
> > and environments that desperately need clipboard RTF support could
> > then implement their own parsers and converters in JS and write/read
> > RTF - the rest of us avoid some browser bloat.. Is this level of
> > "support" reasonable?
> Is there any security consideration that we should be aware of here?
> (e.g. embedded content)
> If not, then I think there's no issue accepting this way.
> If yes, then I guess there should be some sanitization process happening
> since otherwise untrusted web-pages could insert in the clipboard
> RTF-content that would reference external stuff that would be fetched
> when pasted in.
> paul

Reply via email to