Re: [clipboard] Add RTF to the "mandatory data types" list?

[Hallvord Reiar Michaelsen Steen]

On Mon, Apr 20, 2015 at 11:01 PM James M. Greene 
wrote:

>> That behavior is really all I wanted, i.e. "don't let the browser
>> discard/ignore valid RTF clipboard data".

On Wed, May 6, 2015 at 8:18 PM, Daniel Cheng  wrote:
> I don't think I would feel comfortable with allowing web pages to place
> unsanitized RTF in the system clipboard. This would allow webapps to trigger
> exploits such as CVE-2014-1761.

Just to conclude here: I've been convinced that the possibility of
targeting exploits at local applications are too severe to allow JS to
write stuff labelled as RTF to clipboards. The plan is that RTF will
be considered a "custom" type so scripts can set (and get) RTF data,
but native applications will not see said data if they look for "RTF"
content on the clipboard.

I have not entirely made up my mind on how exposing RTF that other
applications have written to the clipboard to JS will work (the
"paste" / "read from clipboard" use case), but I think we'll just
expose it as usual in the items list with the RTF MIME type.
-Hallvord

Re: [clipboard] Add RTF to the mandatory data types list?

[James M. Greene]

Hallvord --

That behavior is really all I wanted, i.e. don't let the browser
discard/ignore valid RTF clipboard data.

I would also echo Paul's thoughts: this sounds good but is there any
OS/browser-level sanitization process necessary?  I would be curious to
hear from Ben if Microsoft already has such things in place for IE.

Sincerely,
James Greene


On Mon, Apr 20, 2015 at 3:26 PM, Paul Libbrecht p...@hoplahup.net wrote:



 On 20/04/15 22:11, Hallvord Reiar Michaelsen Steen wrote:
  Would it be a possible compromise to let a script describe data as
  RTF, and then put said data on the clipboard with the OS's correct RTF
  data type labelling? And vice versa, if the script asks for RTF give
  it any RTF contents from the clipboard as raw (binary) data? Products
  and environments that desperately need clipboard RTF support could
  then implement their own parsers and converters in JS and write/read
  RTF - the rest of us avoid some browser bloat.. Is this level of
  support reasonable?
 Is there any security consideration that we should be aware of here?
 (e.g. embedded content)
 If not, then I think there's no issue accepting this way.
 If yes, then I guess there should be some sanitization process happening
 since otherwise untrusted web-pages could insert in the clipboard
 RTF-content that would reference external stuff that would be fetched
 when pasted in.

 paul

Re: [clipboard] Add RTF to the mandatory data types list?

[Hallvord Reiar Michaelsen Steen]

I assume that mandating all engines have built-in RTF parsers/converters to
translate back and forth between RTF and HTML is going too far.. Apparently
IE did / does just that, but even so it seems like RTF is generally fading
away.

Would it be a possible compromise to let a script describe data as RTF, and
then put said data on the clipboard with the OS's correct RTF data type
labelling? And vice versa, if the script asks for RTF give it any RTF
contents from the clipboard as raw (binary) data? Products and environments
that desperately need clipboard RTF support could then implement their own
parsers and converters in JS and write/read RTF - the rest of us avoid some
browser bloat.. Is this level of support reasonable?
-Hallvord R

On Wed, Aug 20, 2014 at 8:49 PM, James M. Greene james.m.gre...@gmail.com
wrote:

 On Aug 20, 2014 4:19 AM, Daniel Cheng dch...@chromium.org wrote:
 
  On Tue, Aug 19, 2014 at 3:36 AM, Hallvord R. M. Steen 
 hst...@mozilla.com wrote:
 
  I don't have input as such, but I have a few questions:
  Is there any widely used software that writes RTF data to the system
 clipboard but *not* HTML?
 
  I'm curious about the answer to this as well. I haven't seen any
 examples raised outside of TextEdit. While TextEdit is widely deployed, is
 it actually widely used as a rich text editor? I know I just use it as the
 occasional scratch pad. If there aren't any good examples, I don't think it
 makes sense to make RTF a mandatory data type. If there are, I still think
 it'd make more sense to push those editors towards supporting HTML rather
 than trying to make browsers support RTF.

 Another likely scratch pad editor that only supports RTF is Windows
 WordPad.

 A real and [surprisingly still] popular editor that only accepts RTF
 pastes -- at least as of its fairly recent X5 version (now on version X7)
 -- is WordPerfect.  I learned this in the past few years while building a
 very [*very*] premium product for a legal research/workflow solutions
 company.  When I created the rich copy functionality [using Flash], we were
 required to support plain text, HTML, and RTF for the clipboard injection
 as WordPerfect X5 couldn't consume the HTML clipboard segment when pasting
 but could consume RTF.  Not sure if that has changed in X6 or X7 as I no
 longer work for that employer.

Re: [clipboard] Add RTF to the mandatory data types list?

[Paul Libbrecht]

On 20/04/15 22:11, Hallvord Reiar Michaelsen Steen wrote:
 Would it be a possible compromise to let a script describe data as
 RTF, and then put said data on the clipboard with the OS's correct RTF
 data type labelling? And vice versa, if the script asks for RTF give
 it any RTF contents from the clipboard as raw (binary) data? Products
 and environments that desperately need clipboard RTF support could
 then implement their own parsers and converters in JS and write/read
 RTF - the rest of us avoid some browser bloat.. Is this level of
 support reasonable?
Is there any security consideration that we should be aware of here?
(e.g. embedded content)
If not, then I think there's no issue accepting this way.
If yes, then I guess there should be some sanitization process happening
since otherwise untrusted web-pages could insert in the clipboard
RTF-content that would reference external stuff that would be fetched
when pasted in.

paul



signature.asc
Description: OpenPGP digital signature

Re: [clipboard] Add RTF to the mandatory data types list?

[Daniel Cheng]

Right now, the default action for copy/cut also populates text/plain on the
clipboard if you're copying HTML (I don't think the spec explicitly
mentions this, but I'm pretty sure this is how most browsers behave).

Given the current discussion, it seems expected that the browser will
automatically convert between RTF and HTML. If a user copies markup, the
browser should add RTF. If the user pastes RTF, the browser should convert
it back into HTML.

Implementing this conversion has one major problem: RTF parsing is
complicated. The spec is several hundred pages long. Every browser is going
to have to add rich text parser that's almost completely unrelated to the
web when it already has a perfectly good parser for HTML.

In the past, RTF support would have helped text that wanted to include
inline images, but there has been progress on solving this without
depending on RTF:
http://lists.w3.org/Archives/Public/public-webapps/2014JanMar/0103.html

On Tue, Aug 19, 2014 at 3:36 AM, Hallvord R. M. Steen hst...@mozilla.com
 wrote:

 I don't have input as such, but I have a few questions:
 Is there any widely used software that writes RTF data to the system
 clipboard but *not* HTML?


I'm curious about the answer to this as well. I haven't seen any examples
raised outside of TextEdit. While TextEdit is widely deployed, is it
actually widely used as a rich text editor? I know I just use it as the
occasional scratch pad. If there aren't any good examples, I don't think it
makes sense to make RTF a mandatory data type. If there are, I still think
it'd make more sense to push those editors towards supporting HTML rather
than trying to make browsers support RTF.

Daniel


On Tue, Aug 19, 2014 at 8:17 PM, Karl Dubost k...@la-grange.net wrote:


 Le 19 août 2014 à 19:36, Hallvord R. M. Steen hst...@mozilla.com a
 écrit :
  If there's RTF on the clipboard and you try pasting into a rich text
 editing element, does any browser convert RTF to HTML to preserve the
 formatting?

 On MacOSX

 Test 1:
 Copy styled text with a link in a Web page (grey and pink text, black
 background, Big size) into an RTF editor (TextEdit).
 * Safari  - TextEdit: color, size, position and links preserved
 * Firefox - TextEdit: only size and links are preserved

 Test 2:
 Copy styled text from an RTF editor to content editable form
 http://codepen.io/matt-west/full/gtruC
 * TextEdit - Safari: Everything is preserved
 * TextEdit - Firefox: Nothing is preserved, just the text.


 Checking by inspecting the DOM content in the form in Safari:

 p style=margin: 0px 0px 10px; font-size: 34px; line-height: normal;
 font-family: Times; color: rgb(225, 44, 155);foobar/p


 --
 Karl Dubost 
 http://www.la-grange.net/karl/

Re: [clipboard] Add RTF to the mandatory data types list?

[James M. Greene]

On Aug 20, 2014 4:19 AM, Daniel Cheng dch...@chromium.org wrote:

 On Tue, Aug 19, 2014 at 3:36 AM, Hallvord R. M. Steen hst...@mozilla.com
 wrote:

 I don't have input as such, but I have a few questions:
 Is there any widely used software that writes RTF data to the system
clipboard but *not* HTML?

 I'm curious about the answer to this as well. I haven't seen any examples
raised outside of TextEdit. While TextEdit is widely deployed, is it
actually widely used as a rich text editor? I know I just use it as the
occasional scratch pad. If there aren't any good examples, I don't think it
makes sense to make RTF a mandatory data type. If there are, I still think
it'd make more sense to push those editors towards supporting HTML rather
than trying to make browsers support RTF.

Another likely scratch pad editor that only supports RTF is Windows
WordPad.

A real and [surprisingly still] popular editor that only accepts RTF pastes
-- at least as of its fairly recent X5 version (now on version X7) -- is
WordPerfect.  I learned this in the past few years while building a very [
*very*] premium product for a legal research/workflow solutions company.
 When I created the rich copy functionality [using Flash], we were required
to support plain text, HTML, and RTF for the clipboard injection as
WordPerfect X5 couldn't consume the HTML clipboard segment when pasting but
could consume RTF.  Not sure if that has changed in X6 or X7 as I no longer
work for that employer.

Re: [clipboard] Add RTF to the mandatory data types list?

[Hallvord R. M. Steen]

 Does anyone else have input for/against this?

Conceptually, I guess RTF sort of covers the same use cases as HTML. That 
doesn't necessarily mean we should not add it.

I don't have input as such, but I have a few questions:
Is there any widely used software that writes RTF data to the system clipboard 
but *not* HTML?

If there's RTF on the clipboard and you try pasting into a rich text editing 
element, does any browser convert RTF to HTML to preserve the formatting?

Did anyone ever write a complete RTF parser in JavaScript? If you could read 
raw RTF data off the clipboard, how would you process it? How likely do you 
think it is that those who write web editors will go through the efforts and 
add code to handle RTF paste?

-Hallvord

Re: [clipboard] Add RTF to the mandatory data types list?

[Daniel Cheng]

On Tue, Aug 19, 2014 at 3:36 AM, Hallvord R. M. Steen hst...@mozilla.com
wrote:

  Does anyone else have input for/against this?

 Conceptually, I guess RTF sort of covers the same use cases as HTML. That
 doesn't necessarily mean we should not add it.

 I don't have input as such, but I have a few questions:
 Is there any widely used software that writes RTF data to the system
 clipboard but *not* HTML?

 If there's RTF on the clipboard and you try pasting into a rich text
 editing element, does any browser convert RTF to HTML to preserve the
 formatting?


Chrome Mac should (though I've never tested this functionality). I think
the code for this was inherited from Camino, so Firefox may have this as
well. It's not common--it's only implemented on Mac because there's some
platform support already for parsing RTF into a NSAttributedString and then
dumping the result as HTML.



 Did anyone ever write a complete RTF parser in JavaScript? If you could
 read raw RTF data off the clipboard, how would you process it? How likely
 do you think it is that those who write web editors will go through the
 efforts and add code to handle RTF paste?

 -Hallvord

RE: [clipboard] Add RTF to the mandatory data types list?

[Ben Peters]

On Tue, Aug 19, 2014 at 10:08 AM, Daniel Cheng dch...@chromium.org wrote:

 On Tue, Aug 19, 2014 at 3:36 AM, Hallvord R. M. Steen hst...@mozilla.com 
 wrote:

  Does anyone else have input for/against this?

 Conceptually, I guess RTF sort of covers the same use cases as HTML. That 
 doesn't necessarily mean we should not add it.

 I don't have input as such, but I have a few questions:
 Is there any widely used software that writes RTF data to the system 
 clipboard but *not* HTML?

 If there's RTF on the clipboard and you try pasting into a rich text editing 
 element, does any browser convert RTF to HTML to preserve the formatting?


 Chrome Mac should (though I've never tested this functionality). I think the 
 code for this was inherited from Camino, so Firefox may have this as well. 
 It's not common--it's only implemented on Mac because there's some platform 
 support already for parsing RTF into a NSAttributedString and then dumping 
 the result as HTML.

Internet Explorer puts RTF on the clipboard during copy (as well as HTML, text, 
etc), so yes we should allow developers to access it.

RE: [clipboard] Add RTF to the mandatory data types list?

[Ben Peters]

 From: Ben Peters
 
 On Tue, Aug 19, 2014 at 10:08 AM, Daniel Cheng dch...@chromium.org
 wrote:
 
  On Tue, Aug 19, 2014 at 3:36 AM, Hallvord R. M. Steen
 hst...@mozilla.com wrote:
 
   Does anyone else have input for/against this?
 
  Conceptually, I guess RTF sort of covers the same use cases as HTML. That
 doesn't necessarily mean we should not add it.
 
  I don't have input as such, but I have a few questions:
  Is there any widely used software that writes RTF data to the system
 clipboard but *not* HTML?
 
  If there's RTF on the clipboard and you try pasting into a rich text 
  editing
 element, does any browser convert RTF to HTML to preserve the formatting?
 
 
  Chrome Mac should (though I've never tested this functionality). I think the
 code for this was inherited from Camino, so Firefox may have this as well. 
 It's
 not common--it's only implemented on Mac because there's some platform
 support already for parsing RTF into a NSAttributedString and then dumping
 the result as HTML.
 
 Internet Explorer puts RTF on the clipboard during copy (as well as HTML,
 text, etc), so yes we should allow developers to access it.

Actually IE also supports converting RTF on the clipboard to HTML when pasted.

Re: [clipboard] Add RTF to the mandatory data types list?

[Karl Dubost]

Le 19 août 2014 à 19:36, Hallvord R. M. Steen hst...@mozilla.com a écrit :
 If there's RTF on the clipboard and you try pasting into a rich text editing 
 element, does any browser convert RTF to HTML to preserve the formatting?

On MacOSX

Test 1: 
Copy styled text with a link in a Web page (grey and pink text, black 
background, Big size) into an RTF editor (TextEdit).
* Safari  - TextEdit: color, size, position and links preserved
* Firefox - TextEdit: only size and links are preserved

Test 2:
Copy styled text from an RTF editor to content editable form
http://codepen.io/matt-west/full/gtruC
* TextEdit - Safari: Everything is preserved
* TextEdit - Firefox: Nothing is preserved, just the text.


Checking by inspecting the DOM content in the form in Safari:

p style=margin: 0px 0px 10px; font-size: 34px; line-height: normal; 
font-family: Times; color: rgb(225, 44, 155);foobar/p


-- 
Karl Dubost 
http://www.la-grange.net/karl/

Re: [clipboard] Add RTF to the mandatory data types list?

[James M. Greene]

Does anyone else have input for/against this? Please chime in. Thanks!

Sincerely,
James Greene



On Thu, Oct 17, 2013 at 6:57 AM, James Greene james.m.gre...@gmail.com
wrote:

 Oh, and I should also mention that the Flash Player clipboard (which we
 are trying to kill) supports plain text, HTML, and RTF, as well as custom
 application-defined data types.


 http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/desktop/Clipboard.html
  On Oct 17, 2013 5:44 AM, James Greene james.m.gre...@gmail.com wrote:

 Would it be possible to add RTF (MIME type of application/rtf) [1] to
 the mandatory data types [2] list?

 While it is a proprietary file format held by Microsoft, it also has
 public specs [3][4] and is designed for cross-platform interchange of text
 and graphics.

 More importantly, I speculate that it is one of the top three types of
 text formats that people copy-and-paste: plain text, RTF, and HTML. It is
 also supported, or at least readable, by almost every word processing
 application ever made: Microsoft Word, WordPerfect, WordPad, OpenOffice,
 FreeOffice, LibreOffice, etc. This is not limited to desktop office
 application either, however, as RTF is also supported by online solutions
 such as Google Docs, Zoho Docs, etc.

 With all that in mind, it definitely seems like it should be on the
 mandatory data types list.

 Are there any legal roadblocks to making a proprietary data format a
 mandatory type? Are there any other reasons why people think that RTF
 should be excluded from the list?

 Please let me know and/or discuss.  Thanks!

 [1] http://en.wikipedia.org/wiki/Rich_Text_Format
 [2] http://www.w3.org/TR/clipboard-apis/#mandatory-data-types-1
 [3] RTF spec v1.8
 http://www.microsoft.com/en-us/download/details.aspx?id=7105
 [4] RTF spec v1.9.1
 http://www.microsoft.com/en-us/download/details.aspx?id=10725


 Sincerely,
 James Greene

Re: [clipboard] Add RTF to the mandatory data types list?

[James Greene]

Oh, and I should also mention that the Flash Player clipboard (which we are
trying to kill) supports plain text, HTML, and RTF, as well as custom
application-defined data types.

http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/desktop/Clipboard.html
On Oct 17, 2013 5:44 AM, James Greene james.m.gre...@gmail.com wrote:

 Would it be possible to add RTF (MIME type of application/rtf) [1] to
 the mandatory data types [2] list?

 While it is a proprietary file format held by Microsoft, it also has
 public specs [3][4] and is designed for cross-platform interchange of text
 and graphics.

 More importantly, I speculate that it is one of the top three types of
 text formats that people copy-and-paste: plain text, RTF, and HTML. It is
 also supported, or at least readable, by almost every word processing
 application ever made: Microsoft Word, WordPerfect, WordPad, OpenOffice,
 FreeOffice, LibreOffice, etc. This is not limited to desktop office
 application either, however, as RTF is also supported by online solutions
 such as Google Docs, Zoho Docs, etc.

 With all that in mind, it definitely seems like it should be on the
 mandatory data types list.

 Are there any legal roadblocks to making a proprietary data format a
 mandatory type? Are there any other reasons why people think that RTF
 should be excluded from the list?

 Please let me know and/or discuss.  Thanks!

 [1] http://en.wikipedia.org/wiki/Rich_Text_Format
 [2] http://www.w3.org/TR/clipboard-apis/#mandatory-data-types-1
 [3] RTF spec v1.8
 http://www.microsoft.com/en-us/download/details.aspx?id=7105
 [4] RTF spec v1.9.1
 http://www.microsoft.com/en-us/download/details.aspx?id=10725


 Sincerely,
 James Greene