I don't think I would feel comfortable with allowing web pages to place unsanitized RTF in the system clipboard. This would allow webapps to trigger exploits such as CVE-2014-1761.
Daniel On Mon, Apr 20, 2015 at 11:01 PM James M. Greene <james.m.gre...@gmail.com> wrote: > Hallvord -- > > That behavior is really all I wanted, i.e. "don't let the browser > discard/ignore valid RTF clipboard data". > > I would also echo Paul's thoughts: this sounds good but is there any > OS/browser-level sanitization process necessary? I would be curious to > hear from Ben if Microsoft already has such things in place for IE. > > Sincerely, > James Greene > > > On Mon, Apr 20, 2015 at 3:26 PM, Paul Libbrecht <p...@hoplahup.net> wrote: > >> >> >> On 20/04/15 22:11, Hallvord Reiar Michaelsen Steen wrote: >> > Would it be a possible compromise to let a script describe data as >> > RTF, and then put said data on the clipboard with the OS's correct RTF >> > data type labelling? And vice versa, if the script asks for RTF give >> > it any RTF contents from the clipboard as raw (binary) data? Products >> > and environments that desperately need clipboard RTF support could >> > then implement their own parsers and converters in JS and write/read >> > RTF - the rest of us avoid some browser bloat.. Is this level of >> > "support" reasonable? >> Is there any security consideration that we should be aware of here? >> (e.g. embedded content) >> If not, then I think there's no issue accepting this way. >> If yes, then I guess there should be some sanitization process happening >> since otherwise untrusted web-pages could insert in the clipboard >> RTF-content that would reference external stuff that would be fetched >> when pasted in. >> >> paul >> >> >
