I don't think I would feel comfortable with allowing web pages to place
unsanitized RTF in the system clipboard. This would allow webapps to
trigger exploits such as CVE-2014-1761.


On Mon, Apr 20, 2015 at 11:01 PM James M. Greene <james.m.gre...@gmail.com>

> Hallvord --
> That behavior is really all I wanted, i.e. "don't let the browser
> discard/ignore valid RTF clipboard data".
> I would also echo Paul's thoughts: this sounds good but is there any
> OS/browser-level sanitization process necessary?  I would be curious to
> hear from Ben if Microsoft already has such things in place for IE.
> Sincerely,
>     James Greene
> On Mon, Apr 20, 2015 at 3:26 PM, Paul Libbrecht <p...@hoplahup.net> wrote:
>> On 20/04/15 22:11, Hallvord Reiar Michaelsen Steen wrote:
>> > Would it be a possible compromise to let a script describe data as
>> > RTF, and then put said data on the clipboard with the OS's correct RTF
>> > data type labelling? And vice versa, if the script asks for RTF give
>> > it any RTF contents from the clipboard as raw (binary) data? Products
>> > and environments that desperately need clipboard RTF support could
>> > then implement their own parsers and converters in JS and write/read
>> > RTF - the rest of us avoid some browser bloat.. Is this level of
>> > "support" reasonable?
>> Is there any security consideration that we should be aware of here?
>> (e.g. embedded content)
>> If not, then I think there's no issue accepting this way.
>> If yes, then I guess there should be some sanitization process happening
>> since otherwise untrusted web-pages could insert in the clipboard
>> RTF-content that would reference external stuff that would be fetched
>> when pasted in.
>> paul

Reply via email to