W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2011

Re: clipboard events

From: Robert O'Callahan <robert@ocallahan.org>
Date: Tue, 4 Jan 2011 18:51:56 +1300
Message-ID: <AANLkTinq4dga43zz2-E4d=MbMi_ss2-cV250pJmTqiHb@mail.gmail.com>
To: "Hallvord R. M. Steen" <hallvord@opera.com>
Cc: public-webapps@w3.org
On Tue, Jan 4, 2011 at 5:35 PM, Hallvord R. M. Steen <hallvord@opera.com>wrote:

> On Mon, 27 Dec 2010 14:24:39 +0900, Robert O'Callahan <
> robert@ocallahan.org> wrote:
>
>  The sanitization algorithm needs to consider <style> elements and 'style'
>> content attributes. Some browsers, e.g. IE, support CSS features that
>> allow script execution.
>>
>
> Good point. Would it be sufficient to say something like
>
> "If the implementation supports embedding javascript: URLs or other forms
> of scripting inside CSS instructions, such scripts must be removed." ?


Probably not. One problem is that if some implementation supports
CSS-triggered scripts via some CSS extension, then ideally other
implementations would ensure that those extensions are stripped. E.g. Opera
doesn't support IE's expression() CSS extension, but if an Opera user pastes
untrusted HTML into a Web site, IE users may become vulnerable.

Maybe your spec should just mention that something needs to be done here and
move on. This is a rather tough issue and it wouldn't be fair to make you
responsible for solving it :-).

Rob
-- 
"Now the Bereans were of more noble character than the Thessalonians, for
they received the message with great eagerness and examined the Scriptures
every day to see if what Paul said was true." [Acts 17:11]
Received on Tuesday, 4 January 2011 05:52:25 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:42 GMT