Re: [clipboard] Sanitizing HTML content for security/privacy on copy or paste?

On Tue, 09 Feb 2016 12:39:33 +0100, Hallvord Reiar Michaelsen Steen  
<> wrote:

> Hi,
> some discussion of how browsers can try to safeguard security/privacy
> while copying/pasting HTML got tangled into the "remove dangerous
> formats from mandatory data types" thread [1]. I think it will be
> easier to follow with a separate thread.

See also discussions on this in webappsec, with threads starting from a few days ago, and  
 from January.


> Context: we're talking copy from any normal public or local web page,
> to paste formatted text into an online rich text editor. The questions
> are about the code the UA itself would insert into the rich text
> editor if no script processing took place - the source code you expose
> via clipboardData.getData('text/html') may be handled differently.
> So - implementors: do you do any of the following currently, and does
> it happen when content is written to the clipboard (copy) or read
> (paste)? Do you care if it's a cross-site paste or a same-origin
> paste?
> * Change IMG src to inline images as data: URLs?
> * If yes, for all images or just local ones?
> * Change link HREFs to remove potential embedded session IDs?
> * Remove javascript: URLs from the code?
> * Remove event listeners from the code?
> * Inline external stylesheets
> * Remove SCRIPT elements
> * Any other special precautions or processing I haven't thought of?
> (I know some of these would be somewhat odd or weird to do - just  
> checking..)
> (Also, this is not quite in scope for my spec, but I keep being asked
> to figure it out.. ;))
> -Hallvord R
> [1]  

Charles McCathie Nevile - web standards - CTO Office, Yandex - - - Find more at

Received on Tuesday, 9 February 2016 14:27:06 UTC