The code expects `text/html` at the first position of the array, but the explainer says "If text/html representation is present in the ClipboardItem and text/html is present in the unsanitized list", which suggests any position would be fine. Maybe make the explainer say what the code says or vice versa. Good catch. I'll edit the explainer to match the code. Thanks!
________________________________ From: Thomas Steiner <[email protected]> Sent: Tuesday, October 10, 2023 8:12 AM To: Anupam Snigdha <[email protected]> Cc: Thomas Steiner <[email protected]>; [email protected] <[email protected]>; Sanket Joshi (EDGE) <[email protected]>; Evan Stade <[email protected]>; [email protected] <[email protected]>; Ana Sollano Kim <[email protected]> Subject: Re: [EXTERNAL] Re: [blink-dev] Intent to Ship: Async Clipboard API: Read unsanitized HTML and write well-formed HTML format. On Mon, Oct 9, 2023 at 7:15 PM Anupam Snigdha <[email protected]<mailto:[email protected]>> wrote: Any answer on the other question regarding what the expected outcome of a call like below would be? Currently we're throwing a JS exception<https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/modules/clipboard/clipboard_promise.cc;drc=c5ac981ddffb22c613baf38bf69f3554f51894d0;l=248> if the unsanitized list contains a format other than `text/html`. The code expects `text/html` at the first position of the array, but the explainer says "If text/html representation is present in the ClipboardItem and text/html is present in the unsanitized list", which suggests any position would be fine. Maybe make the explainer say what the code says or vice versa. In theory we could also add other built-in formats in the future where sanitization is needed by-default on read(), but unsanitized content is returned if the author explicitly opts into it. e.g. For `image/svg+xml`, we could return sanitized content by-default<https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/modules/clipboard/clipboard_writer.cc;drc=f5bdc89c7395ed24f1b8d196a3bdd6232d5bf771;l=225> where styles would be inlined and <meta> tags would be stripped out by the sanitizer, but if the authors want unsanitized content, then they can explicitly opt into it by adding this format to the unsanitized list. This sounds like a feasible extension to the current behavior. Probably you could even remove the "hello" in `<div id="logDiv">hello</div>` so the DIV is entirely empty to avoid any and all misunderstandings. Done. Thank you! -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/DM6PR00MB0848804D3A50865C9747AE57CFCDA%40DM6PR00MB0848.namprd00.prod.outlook.com.
