- From: poot <cvsmail@w3.org>
- Date: Thu, 09 Feb 2012 19:24:46 -0500
- To: public-html-diffs@w3.org
hixie: Mention that UAs should whitelist filter drag-and-drop content to
prevent XSS attacks. (whatwg r6986)
http://dev.w3.org/cvsweb/html5/spec/Overview.html?r1=1.5579&r2=1.5580&f=h
http://html5.org/tools/web-apps-tracker?from=6985&to=6986
===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.5579
retrieving revision 1.5580
diff -u -d -r1.5579 -r1.5580
--- Overview.html 9 Feb 2012 23:13:08 -0000 1.5579
+++ Overview.html 10 Feb 2012 00:24:36 -0000 1.5580
@@ -320,7 +320,7 @@
<h1>HTML5</h1>
<h2 class="no-num no-toc" id="a-vocabulary-and-associated-apis-for-html-and-xhtml">A vocabulary and associated APIs for HTML and XHTML</h2>
- <h2 class="no-num no-toc" id="editor-s-draft-9-february-2012">Editor's Draft 9 February 2012</h2>
+ <h2 class="no-num no-toc" id="editor-s-draft-10-february-2012">Editor's Draft 10 February 2012</h2>
<dl><dt>Latest Published Version:</dt>
<dd><a href="http://www.w3.org/TR/html5/">http://www.w3.org/TR/html5/</a></dd>
<dt>Latest Editor's Draft:</dt>
@@ -467,7 +467,7 @@
Group</a> is the W3C working group responsible for this
specification's progress along the W3C Recommendation
track.
- This specification is the 9 February 2012 Editor's Draft.
+ This specification is the 10 February 2012 Editor's Draft.
</p><!-- UNDER NO CIRCUMSTANCES IS THE PRECEDING PARAGRAPH TO BE REMOVED OR EDITED WITHOUT TALKING TO IAN FIRST --><p>Work on this specification is also done at the <a href="http://www.whatwg.org/">WHATWG</a>. The W3C HTML working group
actively pursues convergence with the WHATWG, as required by the <a href="http://www.w3.org/2007/03/HTML-WG-charter">W3C HTML working
group charter</a>.</p><!-- UNDER NO CIRCUMSTANCES IS THE FOLLOWING PARAGRAPH TO BE REMOVED OR EDITED WITHOUT TALKING TO IAN FIRST --><p>This document was produced by a group operating under the <a href="http://www.w3.org/Consortium/Patent-Policy-20040205/">5
@@ -57438,6 +57438,24 @@
data to be dragged from sensitive sources and dropped into hostile
documents without the user's consent.</p>
+ <p>User agents should filter potentially active (scripted) content
+ (e.g. HTML) when it is dragged and when it is dropped, using a
+ whitelist of known-safe features. This specification does not
+ specify how this is performed.</p>
+
+ <div class="example">
+
+ <p>Consider a hostile page providing some content and gettuing the
+ user to select and drag and drop (or indeed, copy and paste) that
+ content to a victim page's <code title="attr-contenteditable"><a href="#attr-contenteditable">contenteditable</a></code> region. If the
+ browser does not ensure that only safe content is dragged,
+ potentially unsafe content such as scripts and event handlers in
+ the selection, once dropped (or pasted) into the victim site, get
+ the privileges of the victim site. This would thus enable a
+ cross-site scripting attack.</p>
+
+ </div>
+
</div><h2 id="syntax"><span class="secno">8 </span><dfn>The HTML syntax</dfn></h2><p class="note">This section only describes the rules for resources
labeled with an <a href="#html-mime-type">HTML MIME type</a>. Rules for XML resources
are discussed in the section below entitled "<a href="#the-xhtml-syntax">The XHTML
Received on Friday, 10 February 2012 00:24:47 UTC