W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2013

Re: Clipboard API: Stripping script element

From: James Graham <jgraham@opera.com>
Date: Thu, 28 Mar 2013 11:18:14 +0100
Message-ID: <515418E6.7010209@opera.com>
To: public-webapps@w3.org
On 03/28/2013 10:36 AM, Hallvord Reiar Michaelsen Steen wrote:
>> In particular, WebKit has been stripping script element from the
>> pasted content but this may have some side effects on CSS rules.]
>
>
>
> AFAIK (without re-testing right now), WebKit's implementation is:
> * rich text content that is pasted into a page without JS handling it is sanitized (SCRIPT, javascript: links etc removed)
> * a paste event listener that calls getData('text/html') will get the full, pre-sanitized source
>
>
> If that's correct I can add a short description of this to the spec, in the informative section.

Why would this be informative? It seems quite possible to construct 
interop problems stemming from different implementations here e.g. a 
site that assumes that there will never be <script> elements in pasted 
text, or a site that assumes it can get scripts in the result of 
getData("text/html"). Therefore the exact behaviour of the platform in 
this respect needs to be normatively defined.
Received on Thursday, 28 March 2013 10:18:47 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 28 March 2013 10:18:48 UTC