This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
If the default action of a paste event is not prevented, the target element of the paste action supports rich text editing, and there is formatted textual data on the clipboard, the implementation must remove * SCRIPT element * javascript: URLs * on...="" event handler attributes before pasting. Or something like that.. At least IE&Chrome already do this.
http://www.w3.org/mid/F27C10D5-EF26-44D5-A82D-3A5B3487D0B8@apple.com
(In reply to comment #0) > the implementation must remove > > * SCRIPT element > * javascript: URLs > * on...="" event handler attributes Blacklisting is the wrong way to write sanitizers. Gecko uses whitelisting: http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsTreeSanitizer.cpp
Does WebKit *actually* remove unknown properties from pasted markup? I don't know off the top of my head if it's using a whitelist or blacklist approach. Ideally, I could just reference an algorithm to generate "safe" markup somewhere else..