- From: Daniel Cheng <dcheng@chromium.org>
- Date: Tue, 17 May 2011 10:31:33 -0700
- To: Paul Libbrecht <paul@hoplahup.net>
- Cc: Boris Zbarsky <bzbarsky@mit.edu>, public-webapps@w3.org
Received on Tuesday, 17 May 2011 17:31:58 UTC
On Tue, May 17, 2011 at 10:18, Paul Libbrecht <paul@hoplahup.net> wrote: > > Le 17 mai 2011 à 19:14, Daniel Cheng a écrit : > > I actually did implement reading arbitrary types from the clipboard/drop at > one point on Linux just to see how it'd work. When I copied a file in > Nautilus, the full path to the file was available in several different > flavors from the clipboard X selection. In order to prevent attacks of this > sort, we'd have to determine the full set of types that file managers and > other programs could potentially populate with file paths and then > explicitly try to clean them of file paths. It's much easier to just go the > other direction with a whitelist. > > > This was certainly at least copied in plain-text as well, or? > The risk is here today then already, correct? (even with traditional forms > and a quick onchange that makes it invisible). > > paul > It is not because Chromium specifically clears the plain text type if it detects a file drag. Daniel
Received on Tuesday, 17 May 2011 17:31:58 UTC