PasteHandler, get access to pasted text?

[Devraj Mukherjee]

Hi all,

I am using the PasteHandler, to ensure that I can strip out markup of
pasted text in a DIV that has contenteditable set to true (to roll my
own RTE).

var pasteHandler_ = new goog.events.PasteHandler(element);
this.eventHandler_.listen(pasteHandler_,
goog.events.PasteHandler.EventType.PASTE, this.handlePaste_);

At the moment I am accessing the pasted text like so in my event handler

var browserEvent_ = event.getBrowserEvent();
pastedText_ = browserEvent_.clipboardData.getData('text/plain');

Does the PasteHandler allow access to pasted text? Or am I on the right track?

Thanks for your input.

[Garry Boyer]

I've been trying to solve this exact problem of forbidding rich paste :-)

In WebKit, I use contentEditable=plaintext-only

In Firefox, I detect the paste, and then select a display:-moz-deck zero-width zero-height overflow-hidden div that's a child of the contentEditable, then I cancel the native paste, and then let the paste happen there. From there, the contents get extracted and plain text appears.

In IE, I use: onpaste="document.selection.createRange().text=clipboardData.getData('Text')"

In Firefox, though, you still have a self-XSS attack, where a user can be tricked into pasting something malicious. However, in Firefox, the scope of these XSS attacks is that images get loaded, leaking referers. IE also loads iframes if you let the native paste event happens -- using a DOM0 handler for onpaste seems to avoid this, while not popping a security warning. WebKit's plaintext-only is a saviour.

[Devraj Mukherjee]

Hi Garry,

Thanks a lot for that comprehensive answer.

Had no idea about WebKit's contentEditable = plaintext

[Wei Zhang]

Hi Garry.

Thank your answer. Could you please explain about the paste processing in FireFox?

It seems that the FireFox doesn't allow the paste redirect to other Dom element.

[Garry Boyer]

We have code to do it, but it's not integrated in the editor. I could ask about releasing it as a reference though I'm not sure we have time to test it to a high enough quality to release it as part of Closure.

--
 
---
You received this message because you are subscribed to the Google Groups "Closure Library Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to closure-library-d...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[dali]

that would be awesome!

To unsubscribe from this group and stop receiving emails from it, send an email to closure-library-discuss+unsub...@googlegroups.com.

[Garry Boyer]

Attached a zip file with the relevant sources. We are providing this as a reference only, and not maintaining it, so I can't guarantee it works, but it is what I have used in the past :-)

Note that I think this is vulnerable to copy/paste vulnerabilities in some browsers -- e.g. if you copy an img tag with onerror, the onerror might get executed. I know that at least modern Firefox is not susceptible, though, but some other browsers may be. Note this approach no longer works with IE since either version 8 or 9.

To unsubscribe from this group and stop receiving emails from it, send an email to closure-library-d...@googlegroups.com.