Rich Text Editor accepts any HTML or Scripts from clipboard, paste

[Jaepil]

Rich Text Editor accepts any HTML or Scripts from clipboard. This is a security issue and breaks the whole concept of easy to use Rich Text editor.

There are two things that should be done.
1) Create onPaste event.
2) Filter the data before it gets pasted into the editor. Un-wanted tags and attributes must be striped, but the tag contents should remain as plain text.

Dojo tool users must be able to specify what tags and attributes are allowed.

If it's possible;

• It should always strip <script> and well know script tags, such as <?php ?>.
  
• Let users specify allowed attribute and value pairs. This will be useful for 'class' attributes.

[[email protected]…]

I would have to disagree with this. Filtering should be done at the server layer, not the client layer. As a general rule you should never trust data sent from a client, always filter it regardless what client-side precautions have been taken.

[anonymous]

I'd love to see this fixed, as it seems to be causing issues on an application I'm building. An example of the problem is pasting in content from a Microsoft Word document. It seems to add all sorts of wierd tags that firefox just doesn't understand and makes firefox display the content all wonky. I suspect that the html that is pasted in should be converted into legal html no matter what browser you view it in.

[alex]

punting for lack of time before 0.3.0

[alex]

As I dig into this, it's a significant feature addition (whitelist HTML parser state machine).

oof. more punting.

[dylan]

cougar, please triage this if you have time... not sure if it is an issue with editor 2... if so, 0.4, 0.4.1, or 0.5?

[bill]

Needs context menu support so we can intercept cut/paste requests rather than using the browser default handler.

[dylan]

mass move of editor issues to 1.2.

[Adam Peller]

related to #2140?