W3C home > Mailing lists > Public > public-htmail@w3.org > November 2014

"cleaning HTML for security"

From: <chaals@yandex-team.ru>
Date: Mon, 10 Nov 2014 15:45:24 +0300
To: HTML for Email Community Group <public-htmail@w3.org>
Message-Id: <42881415623524@webcorp01f.yandex-team.ru>
Hi,

in the WebApps working group, there is a spec for a clipboard API - mostly about automatic copy/paste.

One of the things they want to do before finishing it is describe how HTML gets cleaned up for security before pasting into a random page. This may or may not be similar to the things that are removed from mail when it is e.g. presented in Webmail for security reasons.

I don't expect to get a copy of everyone's security policies in detail, but I think it would be useful to at least list common things that are "removed" for security purposes, along with some explanation of the reason.

For example I presume that more or less everyone takes out javascript "eval" statements, because there is no way to automatically check that they will do no harm.

Would it be good to have a page to collect this in our wiki, or are people prepared to send at least some of the stuff to the mailing list (and a volunteer - I see one in the mirror - could start to gather them in a wiki)?

This would be helpful for us, and I think helpful for the WebApps group - which means they look at what we are doing which is also helpful for us.

cheers

Chaals 

--
Charles McCathie Nevile - web standards - CTO Office, Yandex
chaals@yandex-team.ru - - - Find more at http://yandex.com
Received on Monday, 10 November 2014 12:45:56 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:54:17 UTC