- From: Ian Hickson <ian@hixie.ch>
- Date: Fri, 10 Feb 2012 00:24:05 +0000 (UTC)
- To: Daniel Cheng <dcheng@chromium.org>
- cc: "Hallvord R. M. Steen" <hallvord@opera.com>, public-webapps@w3.org
On Wed, 18 May 2011, Daniel Cheng wrote: > On Wed, May 18, 2011 at 16:54, Hallvord R. M. Steen <hallvord@opera.com>wrote: > > > > Not 100% sure what you mean by "concerns" - do you mean for example if > > I drag a selection that embeds local images from my local word > > processing application to an online editor? I don't know how/if DnD > > handles this use case. CCing Ian. > > We're going out of our way to do lots of special processing for HTML in > a paste. Why doesn't a drop of HTML get the same treatment? Presumably the scenario is that hostile page A provides some content and gets the user to select and copy or drag it to page B's contentEditable region, including any script in the selection, which once pasted becomes a cross-site scripting vulnerability. As far as I see it, the right way to solve this is for dragging, copying, dropping, and pasting of HTML to filter the DOM using a whitelist. It's not clear to me that this needs to be done in an interoperable way. I've mentioned this in the drag-and-drop spec. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 10 February 2012 00:24:28 UTC