W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2011

Re: paste events and HTML support - interest in exposing a DOM tree?

From: Paul Libbrecht <paul@hoplahup.net>
Date: Tue, 3 May 2011 19:05:55 +0200
Cc: public-webapps@w3.org, João Eiras <joao.eiras@gmail.com>
Message-Id: <33F0896C-1CED-4AD7-8E62-EE1DFFCBDCA9@hoplahup.net>
To: "Hallvord R. M. Steen" <hallvord@opera.com>



Le 3 mai 2011 à 12:20, Hallvord R. M. Steen a écrit :
>> Regarding simplifying the pasted html to remove stuff that could be malicious, consider a rogue app that injects a script in the clipboard and expects the user to hit paste on his bank site.
> 
> Well, I've never seen a bank site with a rich text editor / contentEditable-based feature customers are meant to use ;-)

"write a message to us" ??
Seems like a function an e-banking site offers and could support html one day.
Your other use case remains strong.

One thing that I like in the DOM exposure of the HTML flavour is that it prevents an amount of the threats related to parsing and that is good. In MathML (as in any xml fragment), the only dangers are, I believe:
- parsing time: related files inclusion (schema and dtd notably)
- image and/or style embedding
The first danger is eliminated if the fragment is exposed as a DOM fragment (provided the reference is removed of course).
The second danger is eliminated by the same techniques as those with HTML.


paul
Received on Tuesday, 3 May 2011 17:06:55 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:45 GMT