W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2012

Re: safeguarding a live getData() against looping scripts? (was: Re: clipboard events)

From: Ian Hickson <ian@hixie.ch>
Date: Fri, 10 Feb 2012 00:24:05 +0000 (UTC)
To: Daniel Cheng <dcheng@chromium.org>
cc: "Hallvord R. M. Steen" <hallvord@opera.com>, public-webapps@w3.org
Message-ID: <Pine.LNX.4.64.1202100016450.3868@ps20323.dreamhostps.com>
On Wed, 18 May 2011, Daniel Cheng wrote:
> On Wed, May 18, 2011 at 16:54, Hallvord R. M. Steen <hallvord@opera.com>wrote:
> > 
> > Not 100% sure what you mean by "concerns" - do you mean for example if 
> > I drag a selection that embeds local images from my local word 
> > processing application to an online editor? I don't know how/if DnD 
> > handles this use case. CCing Ian.
> 
> We're going out of our way to do lots of special processing for HTML in 
> a paste. Why doesn't a drop of HTML get the same treatment?

Presumably the scenario is that hostile page A provides some content and 
gets the user to select and copy or drag it to page B's contentEditable 
region, including any script in the selection, which once pasted becomes a 
cross-site scripting vulnerability.

As far as I see it, the right way to solve this is for dragging, copying, 
dropping, and pasting of HTML to filter the DOM using a whitelist. It's 
not clear to me that this needs to be done in an interoperable way.

I've mentioned this in the drag-and-drop spec.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 10 February 2012 00:24:28 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:50 GMT