W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2011

Re: risks of custom clipboard types

From: Paul Libbrecht <paul@hoplahup.net>
Date: Tue, 17 May 2011 19:18:30 +0200
Cc: Boris Zbarsky <bzbarsky@mit.edu>, public-webapps@w3.org
Message-Id: <15B91D52-DB49-489D-BFFD-D3871A771819@hoplahup.net>
To: Daniel Cheng <dcheng@chromium.org>

Le 17 mai 2011 à 19:14, Daniel Cheng a écrit :

> I actually did implement reading arbitrary types from the clipboard/drop at one point on Linux just to see how it'd work. When I copied a file in Nautilus, the full path to the file was available in several different flavors from the clipboard X selection. In order to prevent attacks of this sort, we'd have to determine the full set of types that file managers and other programs could potentially populate with file paths and then explicitly try to clean them of file paths. It's much easier to just go the other direction with a whitelist.

This was certainly at least copied in plain-text as well, or?
The risk is here today then already, correct? (even with traditional forms and a quick onchange that makes it invisible).

Received on Tuesday, 17 May 2011 17:18:54 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:32 UTC