But then it goes even further with just about any type for which broken parsers exists. HTML is certainly a good example since its very diversely implemented.
An application that lives on a desktop and fails on some images would be exposing its user if the user downloads a content and opens it with the application. Is the difference that the browser warns the user that the picture has been downloaded? I've never seen a warning about a downloaded picture. Paul On 9/06/15 23:25, Wez wrote: > IIUC that approach won't help, because the problem here is not > necessarily invalid/malformed data, but even valid data that some > decoders fail to handle gracefully. > > On 9 June 2015 at 14:13, Paul Libbrecht <p...@hoplahup.net > <mailto:p...@hoplahup.net>> wrote: > > On 9/06/15 23:08, Daniel Cheng wrote: >> >> So the solution is to require that browsers that make known >> media-types in the clipboard actually parse it for its value? >> That sounds doable (and probably even useful: e.g. put other >> picture flavours in case of a pictures). >> >> I don't think I understand what this means. > Since the browser is what would act on behalf of JS when putting a > given data into the clipboard, it could check that this data is > well formed and maybe matches the patterns of known exploits. > > paul > >
signature.asc
Description: OpenPGP digital signature