Re: safeguarding a live getData() against looping scripts? (was: Re: clipboard events) from Hallvord R. M. Steen on 2012-02-10 (public-webapps@w3.org from January to March 2012)

From: Hallvord R. M. Steen <hallvord@opera.com>
Date: Fri, 10 Feb 2012 09:09:11 +0100
To: "Daniel Cheng" <dcheng@chromium.org>, "Ian Hickson" <ian@hixie.ch>
Cc: public-webapps@w3.org
Message-ID: <op.v9gd9lipa3v5gv@hr-opera.oslo.osa>

On Fri, 10 Feb 2012 01:24:05 +0100, Ian Hickson <ian@hixie.ch> wrote:

>> We're going out of our way to do lots of special processing for HTML in
>> a paste. Why doesn't a drop of HTML get the same treatment?

This is a good question.

> Presumably the scenario is that hostile page A provides some content and
> gets the user to select and copy or drag it to page B's contentEditable
> region, including any script in the selection, which once pasted becomes  
> a cross-site scripting vulnerability.

That might be one threat model, but it's one that UAs are already  
handling. Most UAs remove or plan to remove SCRIPT tags from pasted HTML  
data.

> I've mentioned this in the drag-and-drop spec.

Goo idea.

Now, I don't think that was the question Daniel Cheng was asking. If you  
look at the HTML/XHTML specific instructions for the paste event (in the  
processing model section:  
http://dev.w3.org/2006/webapi/clipops/#processing-model ) you'll see that  
it specifies quite a bit of parsing and such. The goals are:

* Resolve URLs and links - the page script won't know the base URI to  
resolve against (on Windows this is in the CF_HTML format's meta data and  
the page script doesn't get access to it)

* Make it possible to paste HTML from a local application that embeds  
local resources (<img src="file://..">) and enable page scripts to process  
and upload said resources

* Optionally do extra privacy or security-related filtering if the UA  
implementor considers it useful

So, I think the question Daniel is asking, is: why don't we process URLs  
and local resources this way if HTML data is drag-and-dropped to a page?  
Should this processing be moved to the DnD spec?

Finally, regarding the topic this E-mail's subject is dealing with, I've  
spec'ed this: implementation should use clipboard content sequence number  
on platforms where this is available, creativity elsewhere, to make sure  
script can only access one single clipboard entry. I've also added a test  
for this.

-- 
Hallvord R. M. Steen, Core Tester, Opera Software
http://www.opera.com http://my.opera.com/hallvors/

Received on Friday, 10 February 2012 08:08:47 UTC