W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2011

Re: clipboard events

From: Robert O'Callahan <robert@ocallahan.org>
Date: Tue, 4 Jan 2011 15:01:39 +1300
Message-ID: <AANLkTi=eCjogWnY+mTDvWz4Bq0cLQm8VrReGtz12tyCr@mail.gmail.com>
To: Anne van Kesteren <annevk@opera.com>
Cc: "Hallvord R. M. Steen" <hallvord@opera.com>, public-webapps@w3.org
On Tue, Jan 4, 2011 at 2:28 AM, Anne van Kesteren <annevk@opera.com> wrote:

> On Mon, 27 Dec 2010 06:24:39 +0100, Robert O'Callahan <
> robert@ocallahan.org> wrote:
>
>> The sanitization algorithm needs to consider <style> elements and 'style'
>> content attributes. Some browsers, e.g. IE, support CSS features that
>> allow script execution.
>>
>
> I think it might be better to define this in the opposite way. I.e. list
> the things we want to allow through. This will probably lead to a longer
> list, but at least safeguards against future features and gives the right
> example to people who happen to look at this document for sanitizing ideas.
>

I specifically avoided the issue of whether to whitelist or blacklist :-).

Whitelisting is preferably for security, but it turns that the obvious
whitelists break things. For example, some HTML editors expect to be able to
get pasted HTML from Microsoft Word containing -mso styles, which they will
then process into something else. So a CSS whitelist would need to include
at least some -mso stuff, and who knows what else.

Rob
-- 
"Now the Bereans were of more noble character than the Thessalonians, for
they received the message with great eagerness and examined the Scriptures
every day to see if what Paul said was true." [Acts 17:11]
Received on Tuesday, 4 January 2011 02:02:12 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:42 GMT