> > In addition, from a security perspective, what stops a malicious website
> from embedding something like <img src="file:///etc/passwd"
> style="display:none"></img> in the markup?
>
> We disallow this on copy by stripping such references.
>
Hi Ben,
picking up this old thread..
So we need to add a "sanitize local references" step/algorithm somewhere
when JS writes data to clipboard? It would be great if you could have a
look at
https://w3c.github.io/clipboard-apis/#dfn-writing-contents-to-the-clipboard
and suggest some text - maybe even in the form of a GitHub pull request? :)
(I assume you strip *all* local references, not just specific blacklisted
stuff like /etc/passwd - this probably needs testing with various types of
slashes etc..)
Do you have any other safety measures when data is written to the clipboard?
-Hallvord