Re: [clipboard] Add RTF to the "mandatory data types" list?
On Mon, Apr 20, 2015 at 11:01 PM James M. Greenewrote: >> That behavior is really all I wanted, i.e. "don't let the browser >> discard/ignore valid RTF clipboard data". On Wed, May 6, 2015 at 8:18 PM, Daniel Cheng wrote: > I don't think I would feel comfortable with allowing web pages to place > unsanitized RTF in the system clipboard. This would allow webapps to trigger > exploits such as CVE-2014-1761. Just to conclude here: I've been convinced that the possibility of targeting exploits at local applications are too severe to allow JS to write stuff labelled as RTF to clipboards. The plan is that RTF will be considered a "custom" type so scripts can set (and get) RTF data, but native applications will not see said data if they look for "RTF" content on the clipboard. I have not entirely made up my mind on how exposing RTF that other applications have written to the clipboard to JS will work (the "paste" / "read from clipboard" use case), but I think we'll just expose it as usual in the items list with the RTF MIME type. -Hallvord
Re: [clipboard] Add RTF to the mandatory data types list?
Hallvord -- That behavior is really all I wanted, i.e. don't let the browser discard/ignore valid RTF clipboard data. I would also echo Paul's thoughts: this sounds good but is there any OS/browser-level sanitization process necessary? I would be curious to hear from Ben if Microsoft already has such things in place for IE. Sincerely, James Greene On Mon, Apr 20, 2015 at 3:26 PM, Paul Libbrecht p...@hoplahup.net wrote: On 20/04/15 22:11, Hallvord Reiar Michaelsen Steen wrote: Would it be a possible compromise to let a script describe data as RTF, and then put said data on the clipboard with the OS's correct RTF data type labelling? And vice versa, if the script asks for RTF give it any RTF contents from the clipboard as raw (binary) data? Products and environments that desperately need clipboard RTF support could then implement their own parsers and converters in JS and write/read RTF - the rest of us avoid some browser bloat.. Is this level of support reasonable? Is there any security consideration that we should be aware of here? (e.g. embedded content) If not, then I think there's no issue accepting this way. If yes, then I guess there should be some sanitization process happening since otherwise untrusted web-pages could insert in the clipboard RTF-content that would reference external stuff that would be fetched when pasted in. paul
Re: [clipboard] Add RTF to the mandatory data types list?
I assume that mandating all engines have built-in RTF parsers/converters to translate back and forth between RTF and HTML is going too far.. Apparently IE did / does just that, but even so it seems like RTF is generally fading away. Would it be a possible compromise to let a script describe data as RTF, and then put said data on the clipboard with the OS's correct RTF data type labelling? And vice versa, if the script asks for RTF give it any RTF contents from the clipboard as raw (binary) data? Products and environments that desperately need clipboard RTF support could then implement their own parsers and converters in JS and write/read RTF - the rest of us avoid some browser bloat.. Is this level of support reasonable? -Hallvord R On Wed, Aug 20, 2014 at 8:49 PM, James M. Greene james.m.gre...@gmail.com wrote: On Aug 20, 2014 4:19 AM, Daniel Cheng dch...@chromium.org wrote: On Tue, Aug 19, 2014 at 3:36 AM, Hallvord R. M. Steen hst...@mozilla.com wrote: I don't have input as such, but I have a few questions: Is there any widely used software that writes RTF data to the system clipboard but *not* HTML? I'm curious about the answer to this as well. I haven't seen any examples raised outside of TextEdit. While TextEdit is widely deployed, is it actually widely used as a rich text editor? I know I just use it as the occasional scratch pad. If there aren't any good examples, I don't think it makes sense to make RTF a mandatory data type. If there are, I still think it'd make more sense to push those editors towards supporting HTML rather than trying to make browsers support RTF. Another likely scratch pad editor that only supports RTF is Windows WordPad. A real and [surprisingly still] popular editor that only accepts RTF pastes -- at least as of its fairly recent X5 version (now on version X7) -- is WordPerfect. I learned this in the past few years while building a very [*very*] premium product for a legal research/workflow solutions company. When I created the rich copy functionality [using Flash], we were required to support plain text, HTML, and RTF for the clipboard injection as WordPerfect X5 couldn't consume the HTML clipboard segment when pasting but could consume RTF. Not sure if that has changed in X6 or X7 as I no longer work for that employer.
Re: [clipboard] Add RTF to the mandatory data types list?
On 20/04/15 22:11, Hallvord Reiar Michaelsen Steen wrote: Would it be a possible compromise to let a script describe data as RTF, and then put said data on the clipboard with the OS's correct RTF data type labelling? And vice versa, if the script asks for RTF give it any RTF contents from the clipboard as raw (binary) data? Products and environments that desperately need clipboard RTF support could then implement their own parsers and converters in JS and write/read RTF - the rest of us avoid some browser bloat.. Is this level of support reasonable? Is there any security consideration that we should be aware of here? (e.g. embedded content) If not, then I think there's no issue accepting this way. If yes, then I guess there should be some sanitization process happening since otherwise untrusted web-pages could insert in the clipboard RTF-content that would reference external stuff that would be fetched when pasted in. paul signature.asc Description: OpenPGP digital signature
Re: [clipboard] Add RTF to the mandatory data types list?
Right now, the default action for copy/cut also populates text/plain on the clipboard if you're copying HTML (I don't think the spec explicitly mentions this, but I'm pretty sure this is how most browsers behave). Given the current discussion, it seems expected that the browser will automatically convert between RTF and HTML. If a user copies markup, the browser should add RTF. If the user pastes RTF, the browser should convert it back into HTML. Implementing this conversion has one major problem: RTF parsing is complicated. The spec is several hundred pages long. Every browser is going to have to add rich text parser that's almost completely unrelated to the web when it already has a perfectly good parser for HTML. In the past, RTF support would have helped text that wanted to include inline images, but there has been progress on solving this without depending on RTF: http://lists.w3.org/Archives/Public/public-webapps/2014JanMar/0103.html On Tue, Aug 19, 2014 at 3:36 AM, Hallvord R. M. Steen hst...@mozilla.com wrote: I don't have input as such, but I have a few questions: Is there any widely used software that writes RTF data to the system clipboard but *not* HTML? I'm curious about the answer to this as well. I haven't seen any examples raised outside of TextEdit. While TextEdit is widely deployed, is it actually widely used as a rich text editor? I know I just use it as the occasional scratch pad. If there aren't any good examples, I don't think it makes sense to make RTF a mandatory data type. If there are, I still think it'd make more sense to push those editors towards supporting HTML rather than trying to make browsers support RTF. Daniel On Tue, Aug 19, 2014 at 8:17 PM, Karl Dubost k...@la-grange.net wrote: Le 19 août 2014 à 19:36, Hallvord R. M. Steen hst...@mozilla.com a écrit : If there's RTF on the clipboard and you try pasting into a rich text editing element, does any browser convert RTF to HTML to preserve the formatting? On MacOSX Test 1: Copy styled text with a link in a Web page (grey and pink text, black background, Big size) into an RTF editor (TextEdit). * Safari - TextEdit: color, size, position and links preserved * Firefox - TextEdit: only size and links are preserved Test 2: Copy styled text from an RTF editor to content editable form http://codepen.io/matt-west/full/gtruC * TextEdit - Safari: Everything is preserved * TextEdit - Firefox: Nothing is preserved, just the text. Checking by inspecting the DOM content in the form in Safari: p style=margin: 0px 0px 10px; font-size: 34px; line-height: normal; font-family: Times; color: rgb(225, 44, 155);foobar/p -- Karl Dubost http://www.la-grange.net/karl/
Re: [clipboard] Add RTF to the mandatory data types list?
On Aug 20, 2014 4:19 AM, Daniel Cheng dch...@chromium.org wrote: On Tue, Aug 19, 2014 at 3:36 AM, Hallvord R. M. Steen hst...@mozilla.com wrote: I don't have input as such, but I have a few questions: Is there any widely used software that writes RTF data to the system clipboard but *not* HTML? I'm curious about the answer to this as well. I haven't seen any examples raised outside of TextEdit. While TextEdit is widely deployed, is it actually widely used as a rich text editor? I know I just use it as the occasional scratch pad. If there aren't any good examples, I don't think it makes sense to make RTF a mandatory data type. If there are, I still think it'd make more sense to push those editors towards supporting HTML rather than trying to make browsers support RTF. Another likely scratch pad editor that only supports RTF is Windows WordPad. A real and [surprisingly still] popular editor that only accepts RTF pastes -- at least as of its fairly recent X5 version (now on version X7) -- is WordPerfect. I learned this in the past few years while building a very [ *very*] premium product for a legal research/workflow solutions company. When I created the rich copy functionality [using Flash], we were required to support plain text, HTML, and RTF for the clipboard injection as WordPerfect X5 couldn't consume the HTML clipboard segment when pasting but could consume RTF. Not sure if that has changed in X6 or X7 as I no longer work for that employer.
Re: [clipboard] Add RTF to the mandatory data types list?
Does anyone else have input for/against this? Conceptually, I guess RTF sort of covers the same use cases as HTML. That doesn't necessarily mean we should not add it. I don't have input as such, but I have a few questions: Is there any widely used software that writes RTF data to the system clipboard but *not* HTML? If there's RTF on the clipboard and you try pasting into a rich text editing element, does any browser convert RTF to HTML to preserve the formatting? Did anyone ever write a complete RTF parser in JavaScript? If you could read raw RTF data off the clipboard, how would you process it? How likely do you think it is that those who write web editors will go through the efforts and add code to handle RTF paste? -Hallvord
Re: [clipboard] Add RTF to the mandatory data types list?
On Tue, Aug 19, 2014 at 3:36 AM, Hallvord R. M. Steen hst...@mozilla.com wrote: Does anyone else have input for/against this? Conceptually, I guess RTF sort of covers the same use cases as HTML. That doesn't necessarily mean we should not add it. I don't have input as such, but I have a few questions: Is there any widely used software that writes RTF data to the system clipboard but *not* HTML? If there's RTF on the clipboard and you try pasting into a rich text editing element, does any browser convert RTF to HTML to preserve the formatting? Chrome Mac should (though I've never tested this functionality). I think the code for this was inherited from Camino, so Firefox may have this as well. It's not common--it's only implemented on Mac because there's some platform support already for parsing RTF into a NSAttributedString and then dumping the result as HTML. Did anyone ever write a complete RTF parser in JavaScript? If you could read raw RTF data off the clipboard, how would you process it? How likely do you think it is that those who write web editors will go through the efforts and add code to handle RTF paste? -Hallvord
RE: [clipboard] Add RTF to the mandatory data types list?
On Tue, Aug 19, 2014 at 10:08 AM, Daniel Cheng dch...@chromium.org wrote: On Tue, Aug 19, 2014 at 3:36 AM, Hallvord R. M. Steen hst...@mozilla.com wrote: Does anyone else have input for/against this? Conceptually, I guess RTF sort of covers the same use cases as HTML. That doesn't necessarily mean we should not add it. I don't have input as such, but I have a few questions: Is there any widely used software that writes RTF data to the system clipboard but *not* HTML? If there's RTF on the clipboard and you try pasting into a rich text editing element, does any browser convert RTF to HTML to preserve the formatting? Chrome Mac should (though I've never tested this functionality). I think the code for this was inherited from Camino, so Firefox may have this as well. It's not common--it's only implemented on Mac because there's some platform support already for parsing RTF into a NSAttributedString and then dumping the result as HTML. Internet Explorer puts RTF on the clipboard during copy (as well as HTML, text, etc), so yes we should allow developers to access it.
RE: [clipboard] Add RTF to the mandatory data types list?
From: Ben Peters On Tue, Aug 19, 2014 at 10:08 AM, Daniel Cheng dch...@chromium.org wrote: On Tue, Aug 19, 2014 at 3:36 AM, Hallvord R. M. Steen hst...@mozilla.com wrote: Does anyone else have input for/against this? Conceptually, I guess RTF sort of covers the same use cases as HTML. That doesn't necessarily mean we should not add it. I don't have input as such, but I have a few questions: Is there any widely used software that writes RTF data to the system clipboard but *not* HTML? If there's RTF on the clipboard and you try pasting into a rich text editing element, does any browser convert RTF to HTML to preserve the formatting? Chrome Mac should (though I've never tested this functionality). I think the code for this was inherited from Camino, so Firefox may have this as well. It's not common--it's only implemented on Mac because there's some platform support already for parsing RTF into a NSAttributedString and then dumping the result as HTML. Internet Explorer puts RTF on the clipboard during copy (as well as HTML, text, etc), so yes we should allow developers to access it. Actually IE also supports converting RTF on the clipboard to HTML when pasted.
Re: [clipboard] Add RTF to the mandatory data types list?
Le 19 août 2014 à 19:36, Hallvord R. M. Steen hst...@mozilla.com a écrit : If there's RTF on the clipboard and you try pasting into a rich text editing element, does any browser convert RTF to HTML to preserve the formatting? On MacOSX Test 1: Copy styled text with a link in a Web page (grey and pink text, black background, Big size) into an RTF editor (TextEdit). * Safari - TextEdit: color, size, position and links preserved * Firefox - TextEdit: only size and links are preserved Test 2: Copy styled text from an RTF editor to content editable form http://codepen.io/matt-west/full/gtruC * TextEdit - Safari: Everything is preserved * TextEdit - Firefox: Nothing is preserved, just the text. Checking by inspecting the DOM content in the form in Safari: p style=margin: 0px 0px 10px; font-size: 34px; line-height: normal; font-family: Times; color: rgb(225, 44, 155);foobar/p -- Karl Dubost http://www.la-grange.net/karl/
Re: [clipboard] Add RTF to the mandatory data types list?
Does anyone else have input for/against this? Please chime in. Thanks! Sincerely, James Greene On Thu, Oct 17, 2013 at 6:57 AM, James Greene james.m.gre...@gmail.com wrote: Oh, and I should also mention that the Flash Player clipboard (which we are trying to kill) supports plain text, HTML, and RTF, as well as custom application-defined data types. http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/desktop/Clipboard.html On Oct 17, 2013 5:44 AM, James Greene james.m.gre...@gmail.com wrote: Would it be possible to add RTF (MIME type of application/rtf) [1] to the mandatory data types [2] list? While it is a proprietary file format held by Microsoft, it also has public specs [3][4] and is designed for cross-platform interchange of text and graphics. More importantly, I speculate that it is one of the top three types of text formats that people copy-and-paste: plain text, RTF, and HTML. It is also supported, or at least readable, by almost every word processing application ever made: Microsoft Word, WordPerfect, WordPad, OpenOffice, FreeOffice, LibreOffice, etc. This is not limited to desktop office application either, however, as RTF is also supported by online solutions such as Google Docs, Zoho Docs, etc. With all that in mind, it definitely seems like it should be on the mandatory data types list. Are there any legal roadblocks to making a proprietary data format a mandatory type? Are there any other reasons why people think that RTF should be excluded from the list? Please let me know and/or discuss. Thanks! [1] http://en.wikipedia.org/wiki/Rich_Text_Format [2] http://www.w3.org/TR/clipboard-apis/#mandatory-data-types-1 [3] RTF spec v1.8 http://www.microsoft.com/en-us/download/details.aspx?id=7105 [4] RTF spec v1.9.1 http://www.microsoft.com/en-us/download/details.aspx?id=10725 Sincerely, James Greene
Re: [clipboard] Add RTF to the mandatory data types list?
Oh, and I should also mention that the Flash Player clipboard (which we are trying to kill) supports plain text, HTML, and RTF, as well as custom application-defined data types. http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/desktop/Clipboard.html On Oct 17, 2013 5:44 AM, James Greene james.m.gre...@gmail.com wrote: Would it be possible to add RTF (MIME type of application/rtf) [1] to the mandatory data types [2] list? While it is a proprietary file format held by Microsoft, it also has public specs [3][4] and is designed for cross-platform interchange of text and graphics. More importantly, I speculate that it is one of the top three types of text formats that people copy-and-paste: plain text, RTF, and HTML. It is also supported, or at least readable, by almost every word processing application ever made: Microsoft Word, WordPerfect, WordPad, OpenOffice, FreeOffice, LibreOffice, etc. This is not limited to desktop office application either, however, as RTF is also supported by online solutions such as Google Docs, Zoho Docs, etc. With all that in mind, it definitely seems like it should be on the mandatory data types list. Are there any legal roadblocks to making a proprietary data format a mandatory type? Are there any other reasons why people think that RTF should be excluded from the list? Please let me know and/or discuss. Thanks! [1] http://en.wikipedia.org/wiki/Rich_Text_Format [2] http://www.w3.org/TR/clipboard-apis/#mandatory-data-types-1 [3] RTF spec v1.8 http://www.microsoft.com/en-us/download/details.aspx?id=7105 [4] RTF spec v1.9.1 http://www.microsoft.com/en-us/download/details.aspx?id=10725 Sincerely, James Greene