[Webkit-unassigned] [Bug 19893] event.(dataTransfer|clipboardData).getData('text/html') (onpaste, ondrop)

Wed Mar 17 18:34:54 PDT 2010

https://bugs.webkit.org/show_bug.cgi?id=19893

--- Comment #6 from Tony Chang (Google) <tony at chromium.org>  2010-03-17 18:34:54 PST ---
(In reply to comment #5)
> Please don't make this change to WebKit unless you have some other solution for
> that problem. We want people to be able to copy in Safari and paste into Excel.

Thanks for letting me know about the history of this behavior.

I am able to copy and paste with this patch into Excel 2008.  Which version of
Excel do we want to make sure still works?  It looks like the versions before
2008 were 2004 and 2001.

(In reply to comment #4)
> (From update of attachment 50877 [details])
> You need to test the effect of copy/pasting say
> <div onload="alert(1)"></div>
> 
> I suspect the getData("text/html") query will currently produce a string that
> contains the event handler which is _probably_ unsafe.

Yes, the string will contain the event handler, which the website could do
something unsafe with (say, assign to innerHTML).  I think it's up to the site
to sanitize the string or just use text/plain.  Lots of stuff gets removed by
webkit when pasted (css, event handlers, smart handling of some formatting),
but perhaps the site has some other good reason to want to use the original
html.

Julie, do you have some example uses cases of wanting text/html?

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.