But then it goes even further with just about any type for which broken
parsers exists.
HTML is certainly a good example since its very diversely implemented.

An application that lives on a desktop and fails on some images would be
exposing its user if the user downloads a content and opens it with the
application.  Is the difference that the browser warns the user that the
picture has been downloaded? I've never seen a warning about a
downloaded picture.

Paul



On 9/06/15 23:25, Wez wrote:
> IIUC that approach won't help, because the problem here is not
> necessarily invalid/malformed data, but even valid data that some
> decoders fail to handle gracefully.
>
> On 9 June 2015 at 14:13, Paul Libbrecht <p...@hoplahup.net
> <mailto:p...@hoplahup.net>> wrote:
>
>     On 9/06/15 23:08, Daniel Cheng wrote:
>>
>>         So the solution is to require that browsers that make known
>>         media-types in the clipboard actually parse it for its value?
>>         That sounds doable (and probably even useful: e.g. put other
>>         picture flavours in case of a pictures).
>>
>>     I don't think I understand what this means.
>     Since the browser is what would act on behalf of JS when putting a
>     given data into the clipboard, it could check that this data is
>     well formed and maybe matches the patterns of known exploits.
>
>     paul
>
>

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to