W3C home > Mailing lists > Public > public-html-diffs@w3.org > February 2012

hixie: Mention that UAs should whitelist filter drag-and-drop content to prevent XSS attacks. (whatwg r6986)

From: poot <cvsmail@w3.org>
Date: Thu, 09 Feb 2012 19:24:46 -0500
To: public-html-diffs@w3.org
Message-Id: <E1RveIA-0002Y4-0L@jay.w3.org>
hixie: Mention that UAs should whitelist filter drag-and-drop content to
prevent XSS attacks. (whatwg r6986)

http://dev.w3.org/cvsweb/html5/spec/Overview.html?r1=1.5579&r2=1.5580&f=h
http://html5.org/tools/web-apps-tracker?from=6985&to=6986

===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.5579
retrieving revision 1.5580
diff -u -d -r1.5579 -r1.5580
--- Overview.html	9 Feb 2012 23:13:08 -0000	1.5579
+++ Overview.html	10 Feb 2012 00:24:36 -0000	1.5580
@@ -320,7 +320,7 @@
 
    <h1>HTML5</h1>
    <h2 class="no-num no-toc" id="a-vocabulary-and-associated-apis-for-html-and-xhtml">A vocabulary and associated APIs for HTML and XHTML</h2>
-   <h2 class="no-num no-toc" id="editor-s-draft-9-february-2012">Editor's Draft 9 February 2012</h2>
+   <h2 class="no-num no-toc" id="editor-s-draft-10-february-2012">Editor's Draft 10 February 2012</h2>
    <dl><dt>Latest Published Version:</dt>
     <dd><a href="http://www.w3.org/TR/html5/">http://www.w3.org/TR/html5/</a></dd>
     <dt>Latest Editor's Draft:</dt>
@@ -467,7 +467,7 @@
   Group</a> is the W3C working group responsible for this
   specification's progress along the W3C Recommendation
   track.
-  This specification is the 9 February 2012 Editor's Draft.
+  This specification is the 10 February 2012 Editor's Draft.
   </p><!-- UNDER NO CIRCUMSTANCES IS THE PRECEDING PARAGRAPH TO BE REMOVED OR EDITED WITHOUT TALKING TO IAN FIRST --><p>Work on this specification is also done at the <a href="http://www.whatwg.org/">WHATWG</a>. The W3C HTML working group
   actively pursues convergence with the WHATWG, as required by the <a href="http://www.w3.org/2007/03/HTML-WG-charter">W3C HTML working
   group charter</a>.</p><!-- UNDER NO CIRCUMSTANCES IS THE FOLLOWING PARAGRAPH TO BE REMOVED OR EDITED WITHOUT TALKING TO IAN FIRST --><p>This document was produced by a group operating under the <a href="http://www.w3.org/Consortium/Patent-Policy-20040205/">5
@@ -57438,6 +57438,24 @@
   data to be dragged from sensitive sources and dropped into hostile
   documents without the user's consent.</p>
 
+  <p>User agents should filter potentially active (scripted) content
+  (e.g. HTML) when it is dragged and when it is dropped, using a
+  whitelist of known-safe features. This specification does not
+  specify how this is performed.</p>
+
+  <div class="example">
+
+   <p>Consider a hostile page providing some content and gettuing the
+   user to select and drag and drop (or indeed, copy and paste) that
+   content to a victim page's <code title="attr-contenteditable"><a href="#attr-contenteditable">contenteditable</a></code> region. If the
+   browser does not ensure that only safe content is dragged,
+   potentially unsafe content such as scripts and event handlers in
+   the selection, once dropped (or pasted) into the victim site, get
+   the privileges of the victim site. This would thus enable a
+   cross-site scripting attack.</p>
+
+  </div>
+
   </div><h2 id="syntax"><span class="secno">8 </span><dfn>The HTML syntax</dfn></h2><p class="note">This section only describes the rules for resources
   labeled with an <a href="#html-mime-type">HTML MIME type</a>. Rules for XML resources
   are discussed in the section below entitled "<a href="#the-xhtml-syntax">The XHTML
Received on Friday, 10 February 2012 00:24:47 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 10 February 2012 00:24:48 GMT