- From: Paul Libbrecht <paul@activemath.org>
- Date: Thu, 23 Oct 2008 10:12:07 +0200
- To: public-webapps@w3.org, Math Working Group WG <member-math@w3.org>
- Message-Id: <81428A28-FB56-4EC8-B07C-1F24E02DE119@activemath.org>
(cross-posting to member-math and public-webapps, sorry if this bothers) Interesting, meeting really helped, Yesterday, discussion with Chris Wilson and Adrian Bateman, of MSIE team, revealed that allowing arbitrary flavours would be a big security hole for Windows at least (I believe this is Windows only but can't confirm yet). So it seems the list of safe encodings is something that would need to be worked out. A safer approach may be to require that the browsers make sure the things sipped into the clipboard/drag-content are only safe things. Safe things include html without scripts, all picture formats (postscript as well?) and most media, but not html with scripts, not windows metafiles, not OLE or MS-office documents. Adrian indicated method to convert html to safe-html seem to be there in MSIE 8 already. Sanitization is probably the right term here. paul Le 22-oct.-08 à 17:02, Ian Hickson a écrit : > On Wed, 22 Oct 2008, Charles McCathieNevile wrote: >> >> Sorry, I missed this - I was otherwise occupied at lunch (I am here, >> BTW). >> >> Having hopefully pretty much shifted Progress Events off my plate, I >> hope to move back to the clipboard API stuff now - and the HTML5 >> draft >> is indeed an important reference... >> >> Ian, how stable do you think this bit of the HTML5 spec is? (I >> haven't >> looked yet...) > > Drag and drop is very stable, it's implemented in three browsers now. > There's some outstanding feedback, but not much. The implementation of > copy and paste in terms of drag and drop (a design motivated > primarily by > accessibility and security concerns) is not widely implemented, > though I > have no pending feedback regarding changes to that. > > -- > Ian Hickson U+1047E ) > \._.,--....,'``. fL > http://ln.hixie.ch/ U+263A /, _.. \ _ > \ ;`._ ,. > Things that are impossible just take longer. `._.-(,_..'-- > (,_..'`-.;.'
Attachments
- application/pkcs7-signature attachment: smime.p7s
Received on Thursday, 23 October 2008 08:12:52 UTC