W3C home > Mailing lists > Public > public-htmail@w3.org > November 2014

Re: "cleaning HTML for security"

From: Stefan Mies <stefan.mies@gmail.com>
Date: Mon, 10 Nov 2014 15:34:56 +0100
Message-ID: <CAOMFAkocn5zphMJx=_JANi-2BWUeJYQj=ZbU4_n6tGz0A=mGxg@mail.gmail.com>
To: Chaals from Yandex <chaals@yandex-team.ru>
Cc: HTML for Email Community Group <public-htmail@w3.org>

sounds good! I think the best is to organize it in our wiki with table
header like: Group (CSS/Javascript/HTML ...) / Tag / Status (Removed / Add)
/ Why?


2014-11-10 13:45 GMT+01:00 <chaals@yandex-team.ru>:

> Hi,
> in the WebApps working group, there is a spec for a clipboard API - mostly
> about automatic copy/paste.
> One of the things they want to do before finishing it is describe how HTML
> gets cleaned up for security before pasting into a random page. This may or
> may not be similar to the things that are removed from mail when it is e.g.
> presented in Webmail for security reasons.
> I don't expect to get a copy of everyone's security policies in detail,
> but I think it would be useful to at least list common things that are
> "removed" for security purposes, along with some explanation of the reason.
> For example I presume that more or less everyone takes out javascript
> "eval" statements, because there is no way to automatically check that they
> will do no harm.
> Would it be good to have a page to collect this in our wiki, or are people
> prepared to send at least some of the stuff to the mailing list (and a
> volunteer - I see one in the mirror - could start to gather them in a wiki)?
> This would be helpful for us, and I think helpful for the WebApps group -
> which means they look at what we are doing which is also helpful for us.
> cheers
> Chaals
> --
> Charles McCathie Nevile - web standards - CTO Office, Yandex
> chaals@yandex-team.ru - - - Find more at http://yandex.com
Received on Monday, 10 November 2014 14:35:22 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:54:17 UTC