W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2013

Re: Clipboard API: Stripping script element

From: Hallvord Reiar Michaelsen Steen <hallvord@opera.com>
Date: Thu, 28 Mar 2013 10:36:02 +0100
To: public-webapps@w3.org, "Ryosuke Niwa" <rniwa@apple.com>
Message-ID: <791444e0dfbc2775737882d42ce1076a@opera.com>

> The current clipboard API specification mentions security risks
> of copy & paste but doesn't seem to explicitly mention methods by
> which user agents deal with such security risks.

Hi Ryosuke,
I did remove the section on cleaning up content because it was not implemented by anyone and seemed unlikely to be - but there is some advice in section 8.1 ("Security risks"). It mentions "The user might paste malicious JavaScript into a trusted page." among the risks and suggests (in the table) that the UA may sanitize content that comes from a different origin. I assume you want some more details added here, right?

> In particular, WebKit has been stripping script element from the
> pasted content but this may have some side effects on CSS rules.]

AFAIK (without re-testing right now), WebKit's implementation is: 
* rich text content that is pasted into a page without JS handling it is sanitized (SCRIPT, javascript: links etc removed)
* a paste event listener that calls getData('text/html') will get the full, pre-sanitized source

If that's correct I can add a short description of this to the spec, in the informative section.

Hallvord R. M. Steen
Core tester, Opera Software
Received on Thursday, 28 March 2013 09:33:51 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:59 UTC