21700 2013-04-15 08:38:04 +0000 spec "strip possibly dangerous content before inserting rich text paste markup" 2014-11-05 15:57:50 +0000 1 1 1 Unclassified WebAppsWG HISTORICAL - Clipboard API and events unspecified PC Linux NEW P1 critical --- 1 hsteen hsteen bugs dghrjyan hsivonen mike Tobias-Braun1004 public-webapps-bugzilla oldest_to_newest 86206 0 hsteen 2013-04-15 08:38:04 +0000 If the default action of a paste event is not prevented, the target element of the paste action supports rich text editing, and there is formatted textual data on the clipboard, the implementation must remove * SCRIPT element * javascript: URLs * on...="" event handler attributes before pasting. Or something like that.. At least IE&Chrome already do this. 86207 1 hsteen 2013-04-15 08:40:13 +0000 http://www.w3.org/mid/F27C10D5-EF26-44D5-A82D-3A5B3487D0B8@apple.com 86388 2 hsivonen 2013-04-19 13:55:50 +0000 (In reply to comment #0) > the implementation must remove > > * SCRIPT element > * javascript: URLs > * on...="" event handler attributes Blacklisting is the wrong way to write sanitizers. Gecko uses whitelisting: http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsTreeSanitizer.cpp 111156 3 hsteen 2014-09-08 08:47:09 +0000 Does WebKit *actually* remove unknown properties from pasted markup? I don't know off the top of my head if it's using a whitelist or blacklist approach. Ideally, I could just reference an algorithm to generate "safe" markup somewhere else..