Re: Re: Clipboard API: Stripping script element from Hallvord Reiar Michaelsen Steen on 2013-03-28 (public-webapps@w3.org from January to March 2013)

From: Hallvord Reiar Michaelsen Steen <hallvord@opera.com>
Date: Thu, 28 Mar 2013 12:34:56 +0100
To: public-webapps@w3.org, "James Graham" <jgraham@opera.com>
Message-ID: <2333a0f3dc96ceadbbe74c2f342f83ae@opera.com>

On 03/28/2013 10:36 AM, Hallvord Reiar Michaelsen Steen wrote:
> >> In particular, WebKit has been stripping script element from the
> >> pasted content but this may have some side effects on CSS rules.]

> > AFAIK (without re-testing right now), WebKit's implementation is:
> > * rich text content that is pasted into a page without JS handling it is sanitized (SCRIPT, javascript: links etc removed)
> > * a paste event listener that calls getData('text/html') will get the full, pre-sanitized source
> >
> >
> > If that's correct I can add a short description of this to the spec, in the informative section.
> 

> Why would this be informative?

Mainly because it seems like spec'ing it is a bit out of scope for this spec - I'm trying to spec how clipboard events should work as seen from the JS side. Implementation details like how data is pasted when there is no JS or event handling involved don't seem to belong here, and IMO the interop issues are far-fetched (though the XSS risks aren't).

Now, if there is interest in implementing this among other vendors, and general agreement that we should have this in the clipboard events spec, I'm happy to say something about this in normative prose. In other words, I'll just play this ball right over to the Mozilla and Microsoft representatives: do you currently implement, or do you plan to implement what WebKit does here?

> It seems quite possible to construct 
> interop problems stemming from different implementations here e.g. a 
> site that assumes that there will never be <script> elements in pasted 
> text, or a site that assumes it can get scripts in the result of 
> getData("text/html"). Therefore the exact behaviour of the platform in 
> this respect needs to be normatively defined.

The latter aspect should be normatively defined already, in so far the normative getData('text/html') stuff doesn't spec any sanitization. So I think the interop is taken care of. As an anti-XSS measure, how to handle pasting of potentially risky content might be covered for example in specs for rich text editing.

-- 
Hallvord R. M. Steen
Core tester, Opera Software

Received on Thursday, 28 March 2013 11:32:36 UTC