Re: safeguarding a live getData() against looping scripts? (was: Re: clipboard events)

On Wed, 18 May 2011, Daniel Cheng wrote:
> On Wed, May 18, 2011 at 16:54, Hallvord R. M. Steen <hallvord@opera.com>wrote:
> > 
> > Not 100% sure what you mean by "concerns" - do you mean for example if 
> > I drag a selection that embeds local images from my local word 
> > processing application to an online editor? I don't know how/if DnD 
> > handles this use case. CCing Ian.
> 
> We're going out of our way to do lots of special processing for HTML in 
> a paste. Why doesn't a drop of HTML get the same treatment?

Presumably the scenario is that hostile page A provides some content and 
gets the user to select and copy or drag it to page B's contentEditable 
region, including any script in the selection, which once pasted becomes a 
cross-site scripting vulnerability.

As far as I see it, the right way to solve this is for dragging, copying, 
dropping, and pasting of HTML to filter the DOM using a whitelist. It's 
not clear to me that this needs to be done in an interoperable way.

I've mentioned this in the drag-and-drop spec.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Friday, 10 February 2012 00:24:28 UTC