Re: [clipboard] Add RTF to the "mandatory data types" list?
On Mon, Apr 20, 2015 at 11:01 PM James M. Greene wrote: >> That behavior is really all I wanted, i.e. "don't let the browser >> discard/ignore valid RTF clipboard data". On Wed, May 6, 2015 at 8:18 PM, Daniel Cheng wrote: > I don't think I would feel comfortable with allowing web pages to place > unsanitized RTF in the system clipboard. This would allow webapps to trigger > exploits such as CVE-2014-1761. Just to conclude here: I've been convinced that the possibility of targeting exploits at local applications are too severe to allow JS to write stuff labelled as RTF to clipboards. The plan is that RTF will be considered a "custom" type so scripts can set (and get) RTF data, but native applications will not see said data if they look for "RTF" content on the clipboard. I have not entirely made up my mind on how exposing RTF that other applications have written to the clipboard to JS will work (the "paste" / "read from clipboard" use case), but I think we'll just expose it as usual in the items list with the RTF MIME type. -Hallvord
Re: [clipboard] Add RTF to the "mandatory data types" list?
I don't think I would feel comfortable with allowing web pages to place unsanitized RTF in the system clipboard. This would allow webapps to trigger exploits such as CVE-2014-1761. Daniel On Mon, Apr 20, 2015 at 11:01 PM James M. Greene wrote: > Hallvord -- > > That behavior is really all I wanted, i.e. "don't let the browser > discard/ignore valid RTF clipboard data". > > I would also echo Paul's thoughts: this sounds good but is there any > OS/browser-level sanitization process necessary? I would be curious to > hear from Ben if Microsoft already has such things in place for IE. > > Sincerely, > James Greene > > > On Mon, Apr 20, 2015 at 3:26 PM, Paul Libbrecht wrote: > >> >> >> On 20/04/15 22:11, Hallvord Reiar Michaelsen Steen wrote: >> > Would it be a possible compromise to let a script describe data as >> > RTF, and then put said data on the clipboard with the OS's correct RTF >> > data type labelling? And vice versa, if the script asks for RTF give >> > it any RTF contents from the clipboard as raw (binary) data? Products >> > and environments that desperately need clipboard RTF support could >> > then implement their own parsers and converters in JS and write/read >> > RTF - the rest of us avoid some browser bloat.. Is this level of >> > "support" reasonable? >> Is there any security consideration that we should be aware of here? >> (e.g. embedded content) >> If not, then I think there's no issue accepting this way. >> If yes, then I guess there should be some sanitization process happening >> since otherwise untrusted web-pages could insert in the clipboard >> RTF-content that would reference external stuff that would be fetched >> when pasted in. >> >> paul >> >> >
Re: [clipboard] Add RTF to the "mandatory data types" list?
Hallvord -- That behavior is really all I wanted, i.e. "don't let the browser discard/ignore valid RTF clipboard data". I would also echo Paul's thoughts: this sounds good but is there any OS/browser-level sanitization process necessary? I would be curious to hear from Ben if Microsoft already has such things in place for IE. Sincerely, James Greene On Mon, Apr 20, 2015 at 3:26 PM, Paul Libbrecht wrote: > > > On 20/04/15 22:11, Hallvord Reiar Michaelsen Steen wrote: > > Would it be a possible compromise to let a script describe data as > > RTF, and then put said data on the clipboard with the OS's correct RTF > > data type labelling? And vice versa, if the script asks for RTF give > > it any RTF contents from the clipboard as raw (binary) data? Products > > and environments that desperately need clipboard RTF support could > > then implement their own parsers and converters in JS and write/read > > RTF - the rest of us avoid some browser bloat.. Is this level of > > "support" reasonable? > Is there any security consideration that we should be aware of here? > (e.g. embedded content) > If not, then I think there's no issue accepting this way. > If yes, then I guess there should be some sanitization process happening > since otherwise untrusted web-pages could insert in the clipboard > RTF-content that would reference external stuff that would be fetched > when pasted in. > > paul > >
Re: [clipboard] Add RTF to the "mandatory data types" list?
On 20/04/15 22:11, Hallvord Reiar Michaelsen Steen wrote: > Would it be a possible compromise to let a script describe data as > RTF, and then put said data on the clipboard with the OS's correct RTF > data type labelling? And vice versa, if the script asks for RTF give > it any RTF contents from the clipboard as raw (binary) data? Products > and environments that desperately need clipboard RTF support could > then implement their own parsers and converters in JS and write/read > RTF - the rest of us avoid some browser bloat.. Is this level of > "support" reasonable? Is there any security consideration that we should be aware of here? (e.g. embedded content) If not, then I think there's no issue accepting this way. If yes, then I guess there should be some sanitization process happening since otherwise untrusted web-pages could insert in the clipboard RTF-content that would reference external stuff that would be fetched when pasted in. paul signature.asc Description: OpenPGP digital signature
Re: [clipboard] Add RTF to the "mandatory data types" list?
I assume that mandating all engines have built-in RTF parsers/converters to translate back and forth between RTF and HTML is going too far.. Apparently IE did / does just that, but even so it seems like RTF is generally fading away. Would it be a possible compromise to let a script describe data as RTF, and then put said data on the clipboard with the OS's correct RTF data type labelling? And vice versa, if the script asks for RTF give it any RTF contents from the clipboard as raw (binary) data? Products and environments that desperately need clipboard RTF support could then implement their own parsers and converters in JS and write/read RTF - the rest of us avoid some browser bloat.. Is this level of "support" reasonable? -Hallvord R On Wed, Aug 20, 2014 at 8:49 PM, James M. Greene wrote: > On Aug 20, 2014 4:19 AM, "Daniel Cheng" wrote: > > > > On Tue, Aug 19, 2014 at 3:36 AM, Hallvord R. M. Steen < > hst...@mozilla.com> wrote: > > > >> I don't have "input" as such, but I have a few questions: > >> Is there any widely used software that writes RTF data to the system > clipboard but *not* HTML? > > > > I'm curious about the answer to this as well. I haven't seen any > examples raised outside of TextEdit. While TextEdit is widely deployed, is > it actually widely used as a rich text editor? I know I just use it as the > occasional scratch pad. If there aren't any good examples, I don't think it > makes sense to make RTF a mandatory data type. If there are, I still think > it'd make more sense to push those editors towards supporting HTML rather > than trying to make browsers support RTF. > > Another likely "scratch pad" editor that only supports RTF is Windows > WordPad. > > A real and [surprisingly still] popular editor that only accepts RTF > pastes -- at least as of its fairly recent X5 version (now on version X7) > -- is WordPerfect. I learned this in the past few years while building a > very [*very*] premium product for a legal research/workflow solutions > company. When I created the rich copy functionality [using Flash], we were > required to support plain text, HTML, and RTF for the clipboard injection > as WordPerfect X5 couldn't consume the HTML clipboard segment when pasting > but could consume RTF. Not sure if that has changed in X6 or X7 as I no > longer work for that employer. >
Re: [clipboard] Add RTF to the "mandatory data types" list?
On Aug 20, 2014 4:19 AM, "Daniel Cheng" wrote: > > On Tue, Aug 19, 2014 at 3:36 AM, Hallvord R. M. Steen wrote: > >> I don't have "input" as such, but I have a few questions: >> Is there any widely used software that writes RTF data to the system clipboard but *not* HTML? > > I'm curious about the answer to this as well. I haven't seen any examples raised outside of TextEdit. While TextEdit is widely deployed, is it actually widely used as a rich text editor? I know I just use it as the occasional scratch pad. If there aren't any good examples, I don't think it makes sense to make RTF a mandatory data type. If there are, I still think it'd make more sense to push those editors towards supporting HTML rather than trying to make browsers support RTF. Another likely "scratch pad" editor that only supports RTF is Windows WordPad. A real and [surprisingly still] popular editor that only accepts RTF pastes -- at least as of its fairly recent X5 version (now on version X7) -- is WordPerfect. I learned this in the past few years while building a very [ *very*] premium product for a legal research/workflow solutions company. When I created the rich copy functionality [using Flash], we were required to support plain text, HTML, and RTF for the clipboard injection as WordPerfect X5 couldn't consume the HTML clipboard segment when pasting but could consume RTF. Not sure if that has changed in X6 or X7 as I no longer work for that employer.
Re: [clipboard] Add RTF to the "mandatory data types" list?
Right now, the default action for copy/cut also populates text/plain on the clipboard if you're copying HTML (I don't think the spec explicitly mentions this, but I'm pretty sure this is how most browsers behave). Given the current discussion, it seems expected that the browser will automatically convert between RTF and HTML. If a user copies markup, the browser should add RTF. If the user pastes RTF, the browser should convert it back into HTML. Implementing this conversion has one major problem: RTF parsing is complicated. The spec is several hundred pages long. Every browser is going to have to add rich text parser that's almost completely unrelated to the web when it already has a perfectly good parser for HTML. In the past, RTF support would have helped text that wanted to include inline images, but there has been progress on solving this without depending on RTF: http://lists.w3.org/Archives/Public/public-webapps/2014JanMar/0103.html On Tue, Aug 19, 2014 at 3:36 AM, Hallvord R. M. Steen wrote: > I don't have "input" as such, but I have a few questions: > Is there any widely used software that writes RTF data to the system > clipboard but *not* HTML? I'm curious about the answer to this as well. I haven't seen any examples raised outside of TextEdit. While TextEdit is widely deployed, is it actually widely used as a rich text editor? I know I just use it as the occasional scratch pad. If there aren't any good examples, I don't think it makes sense to make RTF a mandatory data type. If there are, I still think it'd make more sense to push those editors towards supporting HTML rather than trying to make browsers support RTF. Daniel On Tue, Aug 19, 2014 at 8:17 PM, Karl Dubost wrote: > > Le 19 août 2014 à 19:36, Hallvord R. M. Steen a > écrit : > > If there's RTF on the clipboard and you try pasting into a rich text > editing element, does any browser convert RTF to HTML to preserve the > formatting? > > On MacOSX > > Test 1: > Copy styled text with a link in a Web page (grey and pink text, black > background, Big size) into an RTF editor (TextEdit). > * Safari -> TextEdit: color, size, position and links preserved > * Firefox -> TextEdit: only size and links are preserved > > Test 2: > Copy styled text from an RTF editor to content editable form > http://codepen.io/matt-west/full/gtruC > * TextEdit -> Safari: Everything is preserved > * TextEdit -> Firefox: Nothing is preserved, just the text. > > > Checking by inspecting the DOM content in the form in Safari: > > foobar > > > -- > Karl Dubost 🐄 > http://www.la-grange.net/karl/ > > >
Re: [clipboard] Add RTF to the "mandatory data types" list?
Le 19 août 2014 à 19:36, Hallvord R. M. Steen a écrit : > If there's RTF on the clipboard and you try pasting into a rich text editing > element, does any browser convert RTF to HTML to preserve the formatting? On MacOSX Test 1: Copy styled text with a link in a Web page (grey and pink text, black background, Big size) into an RTF editor (TextEdit). * Safari -> TextEdit: color, size, position and links preserved * Firefox -> TextEdit: only size and links are preserved Test 2: Copy styled text from an RTF editor to content editable form http://codepen.io/matt-west/full/gtruC * TextEdit -> Safari: Everything is preserved * TextEdit -> Firefox: Nothing is preserved, just the text. Checking by inspecting the DOM content in the form in Safari: foobar -- Karl Dubost 🐄 http://www.la-grange.net/karl/
RE: [clipboard] Add RTF to the "mandatory data types" list?
> From: Ben Peters > > On Tue, Aug 19, 2014 at 10:08 AM, Daniel Cheng > wrote: > > > > On Tue, Aug 19, 2014 at 3:36 AM, Hallvord R. M. Steen > wrote: > >> > >> > Does anyone else have input for/against this? > >> > >> Conceptually, I guess RTF sort of covers the same use cases as HTML. That > doesn't necessarily mean we should not add it. > >> > >> I don't have "input" as such, but I have a few questions: > >> Is there any widely used software that writes RTF data to the system > clipboard but *not* HTML? > >> > >> If there's RTF on the clipboard and you try pasting into a rich text > >> editing > element, does any browser convert RTF to HTML to preserve the formatting? > > > > > > Chrome Mac should (though I've never tested this functionality). I think the > code for this was inherited from Camino, so Firefox may have this as well. > It's > not common--it's only implemented on Mac because there's some platform > support already for parsing RTF into a NSAttributedString and then dumping > the result as HTML. > > Internet Explorer puts RTF on the clipboard during copy (as well as HTML, > text, etc), so yes we should allow developers to access it. Actually IE also supports converting RTF on the clipboard to HTML when pasted.
RE: [clipboard] Add RTF to the "mandatory data types" list?
On Tue, Aug 19, 2014 at 10:08 AM, Daniel Cheng wrote: > > On Tue, Aug 19, 2014 at 3:36 AM, Hallvord R. M. Steen > wrote: >> >> > Does anyone else have input for/against this? >> >> Conceptually, I guess RTF sort of covers the same use cases as HTML. That >> doesn't necessarily mean we should not add it. >> >> I don't have "input" as such, but I have a few questions: >> Is there any widely used software that writes RTF data to the system >> clipboard but *not* HTML? >> >> If there's RTF on the clipboard and you try pasting into a rich text editing >> element, does any browser convert RTF to HTML to preserve the formatting? > > > Chrome Mac should (though I've never tested this functionality). I think the > code for this was inherited from Camino, so Firefox may have this as well. > It's not common--it's only implemented on Mac because there's some platform > support already for parsing RTF into a NSAttributedString and then dumping > the result as HTML. Internet Explorer puts RTF on the clipboard during copy (as well as HTML, text, etc), so yes we should allow developers to access it.
Re: [clipboard] Add RTF to the "mandatory data types" list?
On Tue, Aug 19, 2014 at 3:36 AM, Hallvord R. M. Steen wrote: > > Does anyone else have input for/against this? > > Conceptually, I guess RTF sort of covers the same use cases as HTML. That > doesn't necessarily mean we should not add it. > > I don't have "input" as such, but I have a few questions: > Is there any widely used software that writes RTF data to the system > clipboard but *not* HTML? > > If there's RTF on the clipboard and you try pasting into a rich text > editing element, does any browser convert RTF to HTML to preserve the > formatting? > Chrome Mac should (though I've never tested this functionality). I think the code for this was inherited from Camino, so Firefox may have this as well. It's not common--it's only implemented on Mac because there's some platform support already for parsing RTF into a NSAttributedString and then dumping the result as HTML. > > Did anyone ever write a complete RTF parser in JavaScript? If you could > read raw RTF data off the clipboard, how would you process it? How likely > do you think it is that those who write web editors will go through the > efforts and add code to handle RTF paste? > > -Hallvord > >
Re: [clipboard] Add RTF to the "mandatory data types" list?
> Does anyone else have input for/against this? Conceptually, I guess RTF sort of covers the same use cases as HTML. That doesn't necessarily mean we should not add it. I don't have "input" as such, but I have a few questions: Is there any widely used software that writes RTF data to the system clipboard but *not* HTML? If there's RTF on the clipboard and you try pasting into a rich text editing element, does any browser convert RTF to HTML to preserve the formatting? Did anyone ever write a complete RTF parser in JavaScript? If you could read raw RTF data off the clipboard, how would you process it? How likely do you think it is that those who write web editors will go through the efforts and add code to handle RTF paste? -Hallvord
Re: [clipboard] Add RTF to the "mandatory data types" list?
Does anyone else have input for/against this? Please chime in. Thanks! Sincerely, James Greene On Thu, Oct 17, 2013 at 6:57 AM, James Greene wrote: > Oh, and I should also mention that the Flash Player clipboard (which we > are trying to kill) supports plain text, HTML, and RTF, as well as custom > "application-defined" data types. > > > http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/desktop/Clipboard.html > On Oct 17, 2013 5:44 AM, "James Greene" wrote: > >> Would it be possible to add RTF (MIME type of "application/rtf") [1] to >> the "mandatory data types" [2] list? >> >> While it is a proprietary file format held by Microsoft, it also has >> public specs [3][4] and is designed for cross-platform interchange of text >> and graphics. >> >> More importantly, I speculate that it is one of the top three types of >> text formats that people copy-and-paste: plain text, RTF, and HTML. It is >> also supported, or at least readable, by almost every word processing >> application ever made: Microsoft Word, WordPerfect, WordPad, OpenOffice, >> FreeOffice, LibreOffice, etc. This is not limited to desktop office >> application either, however, as RTF is also supported by online solutions >> such as Google Docs, Zoho Docs, etc. >> >> With all that in mind, it definitely seems like it should be on the >> "mandatory data types" list. >> >> Are there any legal roadblocks to making a proprietary data format a >> mandatory type? Are there any other reasons why people think that RTF >> should be excluded from the list? >> >> Please let me know and/or discuss. Thanks! >> >> [1] http://en.wikipedia.org/wiki/Rich_Text_Format >> [2] http://www.w3.org/TR/clipboard-apis/#mandatory-data-types-1 >> [3] RTF spec v1.8 >> http://www.microsoft.com/en-us/download/details.aspx?id=7105 >> [4] RTF spec v1.9.1 >> http://www.microsoft.com/en-us/download/details.aspx?id=10725 >> >> >> Sincerely, >> James Greene >> >>
Re: [clipboard] Add RTF to the "mandatory data types" list?
Oh, and I should also mention that the Flash Player clipboard (which we are trying to kill) supports plain text, HTML, and RTF, as well as custom "application-defined" data types. http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/desktop/Clipboard.html On Oct 17, 2013 5:44 AM, "James Greene" wrote: > Would it be possible to add RTF (MIME type of "application/rtf") [1] to > the "mandatory data types" [2] list? > > While it is a proprietary file format held by Microsoft, it also has > public specs [3][4] and is designed for cross-platform interchange of text > and graphics. > > More importantly, I speculate that it is one of the top three types of > text formats that people copy-and-paste: plain text, RTF, and HTML. It is > also supported, or at least readable, by almost every word processing > application ever made: Microsoft Word, WordPerfect, WordPad, OpenOffice, > FreeOffice, LibreOffice, etc. This is not limited to desktop office > application either, however, as RTF is also supported by online solutions > such as Google Docs, Zoho Docs, etc. > > With all that in mind, it definitely seems like it should be on the > "mandatory data types" list. > > Are there any legal roadblocks to making a proprietary data format a > mandatory type? Are there any other reasons why people think that RTF > should be excluded from the list? > > Please let me know and/or discuss. Thanks! > > [1] http://en.wikipedia.org/wiki/Rich_Text_Format > [2] http://www.w3.org/TR/clipboard-apis/#mandatory-data-types-1 > [3] RTF spec v1.8 > http://www.microsoft.com/en-us/download/details.aspx?id=7105 > [4] RTF spec v1.9.1 > http://www.microsoft.com/en-us/download/details.aspx?id=10725 > > > Sincerely, > James Greene > >
[clipboard] Add RTF to the "mandatory data types" list?
Would it be possible to add RTF (MIME type of "application/rtf") [1] to the "mandatory data types" [2] list? While it is a proprietary file format held by Microsoft, it also has public specs [3][4] and is designed for cross-platform interchange of text and graphics. More importantly, I speculate that it is one of the top three types of text formats that people copy-and-paste: plain text, RTF, and HTML. It is also supported, or at least readable, by almost every word processing application ever made: Microsoft Word, WordPerfect, WordPad, OpenOffice, FreeOffice, LibreOffice, etc. This is not limited to desktop office application either, however, as RTF is also supported by online solutions such as Google Docs, Zoho Docs, etc. With all that in mind, it definitely seems like it should be on the "mandatory data types" list. Are there any legal roadblocks to making a proprietary data format a mandatory type? Are there any other reasons why people think that RTF should be excluded from the list? Please let me know and/or discuss. Thanks! [1] http://en.wikipedia.org/wiki/Rich_Text_Format [2] http://www.w3.org/TR/clipboard-apis/#mandatory-data-types-1 [3] RTF spec v1.8 http://www.microsoft.com/en-us/download/details.aspx?id=7105 [4] RTF spec v1.9.1 http://www.microsoft.com/en-us/download/details.aspx?id=10725 Sincerely, James Greene