Re: Clipboard API: Stripping script element

On Mar 28, 2013, at 3:18 AM, James Graham <jgraham@opera.com> wrote:

> On 03/28/2013 10:36 AM, Hallvord Reiar Michaelsen Steen wrote:
>>> In particular, WebKit has been stripping script element from the
>>> pasted content but this may have some side effects on CSS rules.]
>> 
>> 
>> 
>> AFAIK (without re-testing right now), WebKit's implementation is:
>> * rich text content that is pasted into a page without JS handling it is sanitized (SCRIPT, javascript: links etc removed)
>> * a paste event listener that calls getData('text/html') will get the full, pre-sanitized source
>> 
>> 
>> If that's correct I can add a short description of this to the spec, in the informative section.
> 
> Why would this be informative? It seems quite possible to construct interop problems stemming from different implementations here e.g. a site that assumes that there will never be <script> elements in pasted text, or a site that assumes it can get scripts in the result of getData("text/html"). Therefore the exact behaviour of the platform in this respect needs to be normatively defined.

Exactly.  The particular case I had in my mind was something like:

<div>
<script>~</script>
<span>hello</span>
<style>
div {
    color: red;
}
span:nth-child(2) {
    color: green;
}
</style>
</div>

If we had striped the script element, the hello will be shown in red instead of green. We ought to define what UAs are allowed to do (e.g. strip script element) even if we couldn't specify the exact algorithm so that authors won't be surprised by some UAs stripping script elements and others emptying out the text nodes within it.

FWIW, stripping script element appears to be the nominal behavior both among browsers and various mail apps (e.g. Gmail, etc…).

- R. Niwa

Received on Thursday, 28 March 2013 18:11:21 UTC