- From: Ian Hickson via cvs-syncmail <cvsmail@w3.org>
- Date: Fri, 10 Feb 2012 00:24:40 +0000
- To: public-html-commits@w3.org
Update of /sources/public/html5/spec In directory hutz:/tmp/cvs-serv12123 Modified Files: Overview.html Log Message: Mention that UAs should whitelist filter drag-and-drop content to prevent XSS attacks. (whatwg r6986) Index: Overview.html =================================================================== RCS file: /sources/public/html5/spec/Overview.html,v retrieving revision 1.5579 retrieving revision 1.5580 diff -u -d -r1.5579 -r1.5580 --- Overview.html 9 Feb 2012 23:13:08 -0000 1.5579 +++ Overview.html 10 Feb 2012 00:24:36 -0000 1.5580 @@ -320,7 +320,7 @@ <h1>HTML5</h1> <h2 class="no-num no-toc" id="a-vocabulary-and-associated-apis-for-html-and-xhtml">A vocabulary and associated APIs for HTML and XHTML</h2> - <h2 class="no-num no-toc" id="editor-s-draft-9-february-2012">Editor's Draft 9 February 2012</h2> + <h2 class="no-num no-toc" id="editor-s-draft-10-february-2012">Editor's Draft 10 February 2012</h2> <dl><dt>Latest Published Version:</dt> <dd><a href="http://www.w3.org/TR/html5/">http://www.w3.org/TR/html5/</a></dd> <dt>Latest Editor's Draft:</dt> @@ -467,7 +467,7 @@ Group</a> is the W3C working group responsible for this specification's progress along the W3C Recommendation track. - This specification is the 9 February 2012 Editor's Draft. + This specification is the 10 February 2012 Editor's Draft. </p><!-- UNDER NO CIRCUMSTANCES IS THE PRECEDING PARAGRAPH TO BE REMOVED OR EDITED WITHOUT TALKING TO IAN FIRST --><p>Work on this specification is also done at the <a href="http://www.whatwg.org/">WHATWG</a>. The W3C HTML working group actively pursues convergence with the WHATWG, as required by the <a href="http://www.w3.org/2007/03/HTML-WG-charter">W3C HTML working group charter</a>.</p><!-- UNDER NO CIRCUMSTANCES IS THE FOLLOWING PARAGRAPH TO BE REMOVED OR EDITED WITHOUT TALKING TO IAN FIRST --><p>This document was produced by a group operating under the <a href="http://www.w3.org/Consortium/Patent-Policy-20040205/">5 @@ -57438,6 +57438,24 @@ data to be dragged from sensitive sources and dropped into hostile documents without the user's consent.</p> + <p>User agents should filter potentially active (scripted) content + (e.g. HTML) when it is dragged and when it is dropped, using a + whitelist of known-safe features. This specification does not + specify how this is performed.</p> + + <div class="example"> + + <p>Consider a hostile page providing some content and gettuing the + user to select and drag and drop (or indeed, copy and paste) that + content to a victim page's <code title="attr-contenteditable"><a href="#attr-contenteditable">contenteditable</a></code> region. If the + browser does not ensure that only safe content is dragged, + potentially unsafe content such as scripts and event handlers in + the selection, once dropped (or pasted) into the victim site, get + the privileges of the victim site. This would thus enable a + cross-site scripting attack.</p> + + </div> + </div><h2 id="syntax"><span class="secno">8 </span><dfn>The HTML syntax</dfn></h2><p class="note">This section only describes the rules for resources labeled with an <a href="#html-mime-type">HTML MIME type</a>. Rules for XML resources are discussed in the section below entitled "<a href="#the-xhtml-syntax">The XHTML
Received on Friday, 10 February 2012 00:24:42 UTC