On Wed, Nov 14, 2012 at 1:51 PM, Mike Stay <metaw...@gmail.com> wrote:I haven't actually prototyped this, much less security-tested it, but
> In order to support editors in Caja, we really need contenteditable
what occurs to me is that even if we cannot replace
what-is-being-pasted, we can sanitize it *after* the paste but
*before* the user has a chance to interact with it. This works only if
<script>s etc. don't immediately execute.
But first, we need to consider the threat model. Are we concerned about:
- defending the host page from pasted content, or
In particular, an ordinary contenteditable host page would seem to be
If pastes are not malicious, not sanitized, or excluded from the
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.