Re: [clipboard] Add RTF to the "mandatory data types" list? from James M. Greene on 2015-04-21 (public-webapps@w3.org from April to June 2015)

From: James M. Greene <james.m.greene@gmail.com>
Date: Tue, 21 Apr 2015 00:57:32 -0500
To: Hallvord Reiar Michaelsen Steen <hsteen@mozilla.com>
Cc: public-webapps <public-webapps@w3.org>, Ben Peters <Ben.Peters@microsoft.com>
Message-ID: <CALrbKZhSvpYH8H8Ayz=MM+pYhSKK3uCVt1ogVh5jc9tYP_P7+w@mail.gmail.com>

Hallvord --

That behavior is really all I wanted, i.e. "don't let the browser
discard/ignore valid RTF clipboard data".

I would also echo Paul's thoughts: this sounds good but is there any
OS/browser-level sanitization process necessary?  I would be curious to
hear from Ben if Microsoft already has such things in place for IE.

Sincerely,
    James Greene


On Mon, Apr 20, 2015 at 3:26 PM, Paul Libbrecht <paul@hoplahup.net> wrote:

>
>
> On 20/04/15 22:11, Hallvord Reiar Michaelsen Steen wrote:
> > Would it be a possible compromise to let a script describe data as
> > RTF, and then put said data on the clipboard with the OS's correct RTF
> > data type labelling? And vice versa, if the script asks for RTF give
> > it any RTF contents from the clipboard as raw (binary) data? Products
> > and environments that desperately need clipboard RTF support could
> > then implement their own parsers and converters in JS and write/read
> > RTF - the rest of us avoid some browser bloat.. Is this level of
> > "support" reasonable?
> Is there any security consideration that we should be aware of here?
> (e.g. embedded content)
> If not, then I think there's no issue accepting this way.
> If yes, then I guess there should be some sanitization process happening
> since otherwise untrusted web-pages could insert in the clipboard
> RTF-content that would reference external stuff that would be fetched
> when pasted in.
>
> paul
>
>

Received on Tuesday, 21 April 2015 05:58:21 UTC