- From: Paul Libbrecht <paul@hoplahup.net>
- Date: Tue, 3 May 2011 19:05:55 +0200
- To: "Hallvord R. M. Steen" <hallvord@opera.com>
- Cc: public-webapps@w3.org, João Eiras <joao.eiras@gmail.com>
Le 3 mai 2011 à 12:20, Hallvord R. M. Steen a écrit : >> Regarding simplifying the pasted html to remove stuff that could be malicious, consider a rogue app that injects a script in the clipboard and expects the user to hit paste on his bank site. > > Well, I've never seen a bank site with a rich text editor / contentEditable-based feature customers are meant to use ;-) "write a message to us" ?? Seems like a function an e-banking site offers and could support html one day. Your other use case remains strong. One thing that I like in the DOM exposure of the HTML flavour is that it prevents an amount of the threats related to parsing and that is good. In MathML (as in any xml fragment), the only dangers are, I believe: - parsing time: related files inclusion (schema and dtd notably) - image and/or style embedding The first danger is eliminated if the fragment is exposed as a DOM fragment (provided the reference is removed of course). The second danger is eliminated by the same techniques as those with HTML. paul
Received on Tuesday, 3 May 2011 17:06:55 UTC