W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2011

Re: paste events and HTML support - interest in exposing a DOM tree?

From: Paul Libbrecht <paul@hoplahup.net>
Date: Tue, 3 May 2011 19:05:55 +0200
Cc: public-webapps@w3.org, João Eiras <joao.eiras@gmail.com>
Message-Id: <33F0896C-1CED-4AD7-8E62-EE1DFFCBDCA9@hoplahup.net>
To: "Hallvord R. M. Steen" <hallvord@opera.com>

Le 3 mai 2011 à 12:20, Hallvord R. M. Steen a écrit :
>> Regarding simplifying the pasted html to remove stuff that could be malicious, consider a rogue app that injects a script in the clipboard and expects the user to hit paste on his bank site.
> Well, I've never seen a bank site with a rich text editor / contentEditable-based feature customers are meant to use ;-)

"write a message to us" ??
Seems like a function an e-banking site offers and could support html one day.
Your other use case remains strong.

One thing that I like in the DOM exposure of the HTML flavour is that it prevents an amount of the threats related to parsing and that is good. In MathML (as in any xml fragment), the only dangers are, I believe:
- parsing time: related files inclusion (schema and dtd notably)
- image and/or style embedding
The first danger is eliminated if the fragment is exposed as a DOM fragment (provided the reference is removed of course).
The second danger is eliminated by the same techniques as those with HTML.

Received on Tuesday, 3 May 2011 17:06:55 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 20 October 2015 13:55:41 UTC