This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 21700 - spec "strip possibly dangerous content before inserting rich text paste markup"
Summary: spec "strip possibly dangerous content before inserting rich text paste markup"
Status: NEW
Alias: None
Product: WebAppsWG
Classification: Unclassified
Component: HISTORICAL - Clipboard API and events (show other bugs)
Version: unspecified
Hardware: PC Linux
: P1 critical
Target Milestone: ---
Assignee: Hallvord R. M. Steen
QA Contact: public-webapps-bugzilla
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-04-15 08:38 UTC by Hallvord R. M. Steen
Modified: 2014-11-05 15:57 UTC (History)
5 users (show)

See Also:

Attachments

Description Hallvord R. M. Steen 2013-04-15 08:38:04 UTC 
If the default action of a paste event is not prevented, the target element of the paste action supports rich text editing, and there is formatted textual data on the clipboard, the implementation must remove 

* SCRIPT element
* javascript: URLs
* on...="" event handler attributes

before pasting.

Or something like that.. At least IE&Chrome already do this.
Comment 2 Henri Sivonen 2013-04-19 13:55:50 UTC 
(In reply to comment #0)
> the implementation must remove 
> 
> * SCRIPT element
> * javascript: URLs
> * on...="" event handler attributes

Blacklisting is the wrong way to write sanitizers.

Gecko uses whitelisting:
http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsTreeSanitizer.cpp
Comment 3 Hallvord R. M. Steen 2014-09-08 08:47:09 UTC 
Does WebKit *actually* remove unknown properties from pasted markup? I don't know off the top of my head if it's using a whitelist or blacklist approach.

Ideally, I could just reference an algorithm to generate "safe" markup somewhere else..