RE: MathML and "Clipboard API and events"

[Adam Sobieski]

Web Applications Working Group,

Greetings.  In addition to facilitating interprocess communication, 
clipboarding, with the data of arbitrary 
selections of hypertext and MathML, the aforementioned techniques can 
facilitate interprocess communication with the data of arbitrary 
selections of hypertext with RDFa, content in the formats of hypertext, RDF, 
and hypertext with RDFa.



Kind regards,

Adam Sobieski




From: adamsobie...@hotmail.com
To: public-webapps@w3.org
CC: hallv...@opera.com
Date: Sat, 20 Apr 2013 19:40:48 +
Subject: RE: MathML and "Clipboard API and events"


Web Applications Working Group,



Greetings. 
 With regard to MathML and clipboard API and events, some clipboarding 
and interprocess communication API topics include:





(1) The use of JavaScript callback functions or interfaces with the 
DataTransfer interface 
(http://www.w3.org/TR/html5/editing.html#the-datatransfer-interface); WebIDL 
includes syntax for callback functions 
(http://www.w3.org/TR/WebIDL/#dfn-callback-function) and interfaces 
(http://www.w3.org/TR/WebIDL/#dfn-callback-interface). 
 An earlier letter discussing the topic was RE: [Clipboard] 
Mathematical Proofs in HTML5 Documents 
(http://lists.w3.org/Archives/Public/public-webapps/2012AprJun/0041.html).



(2) The use of XInclude (http://www.w3.org/TR/xinclude/) in clipboarding and 
interprocess communication with RFC2392 (http://www.ietf.org/rfc/rfc2392.txt)
 in such a way that clipboard content with such XML can be 
differentiated from from clipboard-related uses of such XML.



(3)
 Provenance data interoperable with bibliographic referencing systems and 
document 
authoring software in clipboarding and interprocess communication.



A solution for clipboarding arbitrary 
selections of hypertext which can include MathML, which can include 
parallel markup, is the use of XInclude in the clipboarded hypertext.  
In addition to backwards compatible clipboarding, with "text/html" and 
"application/xhtml+xml", we could also utilize content type parameters, 
for instance "text/html; ...=..." and "application/xhtml+xml; ...=...", 
which could indicate to clipboard consumers the use of XInclude and 
RFC2392 in interprocess communication.



That is, from an arbitrary selection of hypertext document content including:



This
 sentence has mathematics in it 



we can envision something on the clipboard like:



This sentence has mathematics in it http://www.w3.org/2001/XInclude"; href="..." />.



where
 the URI scheme of the XInclude's @href could be as per RFC2392 so as to
 indicate content from another clipboard resource, which could have a 
"multipart/alternative" content type, and content types such as: 
"application/mathml-presentation+xml", "application/mathml-content+xml",
 and/or "application/mathml+xml", as well as other formats and content 
based upon processing any parallel content 
(http://www.w3.org/TR/MathML3/chapter5.html) in the MathML.



Pasting
 would then be a bit more complex, scanning for such XInclude elements, and 
assembling content utilizing formats known to the pasting application.







Kind regards,



Adam Sobieski

  

RE: MathML and "Clipboard API and events"

[Adam Sobieski]

Web Applications Working Group,

Greetings. 
 With regard to MathML and clipboard API and events, some clipboarding 
and interprocess communication API topics include:


(1) The use of JavaScript callback functions or interfaces with the 
DataTransfer interface 
(http://www.w3.org/TR/html5/editing.html#the-datatransfer-interface); WebIDL 
includes syntax for callback functions 
(http://www.w3.org/TR/WebIDL/#dfn-callback-function) and interfaces 
(http://www.w3.org/TR/WebIDL/#dfn-callback-interface). 
 An earlier letter discussing the topic was RE: [Clipboard] 
Mathematical Proofs in HTML5 Documents 
(http://lists.w3.org/Archives/Public/public-webapps/2012AprJun/0041.html).

(2) The use of XInclude (http://www.w3.org/TR/xinclude/) in clipboarding and 
interprocess communication with RFC2392 (http://www.ietf.org/rfc/rfc2392.txt)
 in such a way that clipboard content with such XML can be 
differentiated from from clipboard-related uses of such XML.

(3)
 Provenance data interoperable with bibliographic referencing systems and 
document 
authoring software in clipboarding and interprocess communication.

A solution for clipboarding arbitrary 
selections of hypertext which can include MathML, which can include 
parallel markup, is the use of XInclude in the clipboarded hypertext.  
In addition to backwards compatible clipboarding, with "text/html" and 
"application/xhtml+xml", we could also utilize content type parameters, 
for instance "text/html; ...=..." and "application/xhtml+xml; ...=...", 
which could indicate to clipboard consumers the use of XInclude and 
RFC2392 in interprocess communication.

That is, from an arbitrary selection of hypertext document content including:

This
 sentence has mathematics in it 

we can envision something on the clipboard like:

This sentence has mathematics in it http://www.w3.org/2001/XInclude"; href="..." />.

where
 the URI scheme of the XInclude's @href could be as per RFC2392 so as to
 indicate content from another clipboard resource, which could have a 
"multipart/alternative" content type, and content types such as: 
"application/mathml-presentation+xml", "application/mathml-content+xml",
 and/or "application/mathml+xml", as well as other formats and content 
based upon processing any parallel content 
(http://www.w3.org/TR/MathML3/chapter5.html) in the MathML.

Pasting
 would then be a bit more complex, scanning for such XInclude elements, and 
assembling content utilizing formats known to the pasting application.



Kind regards,

Adam Sobieski 

Re: RE: MathML and "Clipboard API and events"

[Hallvord Reiar Michaelsen Steen]

> I suspect that the MathML community would be eager to help define
> what needs to get stripped out of MathML to maintain security.
> However, speaking for myself, I do not know what kinds of things
> are considered dangerous. For example, MathML has markup that lets
> a math expression act as a hyperlink. Do we need to strip that out
> completely or is that dependent on the url?


See the initial list of "bad stuff" in 
https://www.w3.org/Bugs/Public/show_bug.cgi?id=21700


Basically, the attack scenario is: trick a user into trying to copy something 
from an attacker's site to a rich text element on a target site. If this 
process can make some code execute inside the target site, the attack can 
succeed. 


(There is also some scope for doing malice with CSS and form elements, but 
probably much less.)

-- 
Hallvord R. M. Steen
Core tester, Opera Software

Re: MathML and "Clipboard API and events"

[Daniel Cheng]

I see. I wasn't aware of that reference since I didn't find it in my
searching. In that case, I don't have any particular objection though I
don't really know what would needs to be sanitized.

Daniel


On Mon, Apr 15, 2013 at 4:12 PM, Paul Topping  wrote:

>  http://www.w3.org/TR/MathML3/appendixb.html mentions both Mac and
> Windows formats for MathML. 
>
> ** **
>
> *From:* dch...@google.com [mailto:dch...@google.com] *On Behalf Of *Daniel
> Cheng
> *Sent:* Monday, April 15, 2013 3:49 PM
>
> *To:* Paul Topping
> *Cc:* Hallvord Reiar Michaelsen Steen; public-webapps@w3.org
> *Subject:* Re: MathML and "Clipboard API and events"
>
>  ** **
>
> On Mon, Apr 15, 2013 at 3:07 PM, Paul Topping  wrote:***
> *
>
>  Why would the answer to this question be dictated by the need to convert
> the MathML format to some other “native” format? I just want my app (native
> or web) to be able to identify the clipboard data type so it can consume
> the data as it sees fit. Conversion to some other format is but one thing
> an app can do with data. If apps can’t identify MathML with confidence,
> they are stuck with ad hoc sniffing of any non-specific data types that
> might contain MathML. I might look at the plain text and XML data types to
> see if they contain “”, for example. 
>
>  ​Because if there is no native format to convert it too, then every
> browser is likely to do it differently anyway... which means you're stuck
> with ad hoc detection of MathML anyway.
>
> ** **
>
> Like I said, there's nothing that stops you from setting text/mathml on
> the HTML clipboard today. It just won't have the magic conversion to the
> native type.
>
>  
>
>   ​​
>
>  
>
> In some sense MathML does have a native format on Mac and Windows.
> Microsoft and Design Science (my company) got together years ago and
> defined one. There are some other companies that support it but it seems
> like it is hard to get the word out there with a “standard” offered by
> commercial app vendors.
>
>  ​I can't find any information about this native format.​ And even if
> there is a native format, that is not the same as having a standard format
> in the native data transfer object (IDataObject on Windows, NSPasteboard on
> Mac).
>
>  If browsers supported MathML rendering and a distinct MathML clipboard
> type and both were defined by the W3C, it would go a long way to
> establishing a standard that matters and it would get adopted widely.
>
>  
>
> Paul
>
>  ****
>
> *From:* dch...@google.com [mailto:dch...@google.com] *On Behalf Of *Daniel
> Cheng
> *Sent:* Monday, April 15, 2013 1:56 PM
> *To:* Paul Topping
> *Cc:* Hallvord Reiar Michaelsen Steen; public-webapps@w3.org
>
>
> *Subject:* Re: MathML and "Clipboard API and events"
>
>  
>
> When I suggested formats that implementations ought to support, I
> specifically mentioned image/svg+xml because it was mostly convertible to
> native types (Windows metafile on Windows, PDF on Mac). I don't think
> anyone's implemented this conversion, but it's technically possible.
>
>  
>
> On the other hand, MathML doesn't have a corresponding native equivalent
> on Windows or Mac. You could argue that this is a chicken and egg problem,
> but without any native format equivalents, there's no good way to map that
> data.
>
>  
>
> You should still be able to set MathML in the clipboard if you want. It
> just won't be visible to native apps.
>
>  
>
> Daniel
>
>  
>
> On Mon, Apr 15, 2013 at 8:44 AM, Paul Topping  wrote:***
> *
>
> Hi Halvord,
>
> Yes, your rewording sounds like a good direction to me. I still worry that
> placing plain text on the clipboard along with MathML will result in a lot
> of apps failing to paste the MathML but doing so would probably be
> considered a bug in such an app.
>
> Thanks for filing the bugs. I suspect that the MathML community would be
> eager to help define what needs to get stripped out of MathML to maintain
> security. However, speaking for myself, I do not know what kinds of things
> are considered dangerous. For example, MathML has markup that lets a math
> expression act as a hyperlink. Do we need to strip that out completely or
> is that dependent on the url? If there are guidelines on what is considered
> dangerous, then we could figure out exactly which MathML constructs need to
> be pruned. Or is there some other procedure for getting this done?
>
> Paul
>
>
> > -Original Message-
> > From: Hallvord R

RE: MathML and "Clipboard API and events"

[Paul Topping]

http://www.w3.org/TR/MathML3/appendixb.html mentions both Mac and Windows 
formats for MathML.

From: dch...@google.com [mailto:dch...@google.com] On Behalf Of Daniel Cheng
Sent: Monday, April 15, 2013 3:49 PM
To: Paul Topping
Cc: Hallvord Reiar Michaelsen Steen; public-webapps@w3.org
Subject: Re: MathML and "Clipboard API and events"

On Mon, Apr 15, 2013 at 3:07 PM, Paul Topping 
mailto:pa...@dessci.com>> wrote:
Why would the answer to this question be dictated by the need to convert the 
MathML format to some other “native” format? I just want my app (native or web) 
to be able to identify the clipboard data type so it can consume the data as it 
sees fit. Conversion to some other format is but one thing an app can do with 
data. If apps can’t identify MathML with confidence, they are stuck with ad hoc 
sniffing of any non-specific data types that might contain MathML. I might look 
at the plain text and XML data types to see if they contain “”, for 
example.
​Because if there is no native format to convert it too, then every browser is 
likely to do it differently anyway... which means you're stuck with ad hoc 
detection of MathML anyway.

Like I said, there's nothing that stops you from setting text/mathml on the 
HTML clipboard today. It just won't have the magic conversion to the native 
type.

​​

In some sense MathML does have a native format on Mac and Windows. Microsoft 
and Design Science (my company) got together years ago and defined one. There 
are some other companies that support it but it seems like it is hard to get 
the word out there with a “standard” offered by commercial app vendors.
​I can't find any information about this native format.​ And even if there is a 
native format, that is not the same as having a standard format in the native 
data transfer object (IDataObject on Windows, NSPasteboard on Mac).
If browsers supported MathML rendering and a distinct MathML clipboard type and 
both were defined by the W3C, it would go a long way to establishing a standard 
that matters and it would get adopted widely.

Paul

From: dch...@google.com<mailto:dch...@google.com> 
[mailto:dch...@google.com<mailto:dch...@google.com>] On Behalf Of Daniel Cheng
Sent: Monday, April 15, 2013 1:56 PM
To: Paul Topping
Cc: Hallvord Reiar Michaelsen Steen; 
public-webapps@w3.org<mailto:public-webapps@w3.org>

Subject: Re: MathML and "Clipboard API and events"

When I suggested formats that implementations ought to support, I specifically 
mentioned image/svg+xml because it was mostly convertible to native types 
(Windows metafile on Windows, PDF on Mac). I don't think anyone's implemented 
this conversion, but it's technically possible.

On the other hand, MathML doesn't have a corresponding native equivalent on 
Windows or Mac. You could argue that this is a chicken and egg problem, but 
without any native format equivalents, there's no good way to map that data.

You should still be able to set MathML in the clipboard if you want. It just 
won't be visible to native apps.

Daniel

On Mon, Apr 15, 2013 at 8:44 AM, Paul Topping 
mailto:pa...@dessci.com>> wrote:
Hi Halvord,

Yes, your rewording sounds like a good direction to me. I still worry that 
placing plain text on the clipboard along with MathML will result in a lot of 
apps failing to paste the MathML but doing so would probably be considered a 
bug in such an app.

Thanks for filing the bugs. I suspect that the MathML community would be eager 
to help define what needs to get stripped out of MathML to maintain security. 
However, speaking for myself, I do not know what kinds of things are considered 
dangerous. For example, MathML has markup that lets a math expression act as a 
hyperlink. Do we need to strip that out completely or is that dependent on the 
url? If there are guidelines on what is considered dangerous, then we could 
figure out exactly which MathML constructs need to be pruned. Or is there some 
other procedure for getting this done?

Paul

> -Original Message-
> From: Hallvord Reiar Michaelsen Steen 
> [mailto:hallv...@opera.com<mailto:hallv...@opera.com>]
> Sent: Monday, April 15, 2013 1:50 AM
> To: public-webapps@w3.org<mailto:public-webapps@w3.org>; Paul Topping
> Subject: Re: MathML and "Clipboard API and events"
>
> Hi Paul, thanks for your comments.
>
> > Mathematical information
> >
> > This section says "MathML often needs to be transformed to be
> > copied as plain text, for example to make sure "to the power of"
> > is shown with the caret "^" sign in a formula plain-text input."
> > Such a transformation should not be part of a normal copy operation
> > since that would transfer MathML. My concern is that readers get the
> > idea that x 2 should always or often be transformed to x^2.
>

Re: MathML and "Clipboard API and events"

[Daniel Cheng]

On Mon, Apr 15, 2013 at 3:07 PM, Paul Topping  wrote:

>  Why would the answer to this question be dictated by the need to convert
> the MathML format to some other “native” format? I just want my app (native
> or web) to be able to identify the clipboard data type so it can consume
> the data as it sees fit. Conversion to some other format is but one thing
> an app can do with data. If apps can’t identify MathML with confidence,
> they are stuck with ad hoc sniffing of any non-specific data types that
> might contain MathML. I might look at the plain text and XML data types to
> see if they contain “”, for example. 
>
> **
>
​Because if there is no native format to convert it too, then every browser
is likely to do it differently anyway... which means you're stuck with ad
hoc detection of MathML anyway.

Like I said, there's nothing that stops you from setting text/mathml on the
HTML clipboard today. It just won't have the magic conversion to the native
type.


> ​​
>  **
>
> In some sense MathML does have a native format on Mac and Windows.
> Microsoft and Design Science (my company) got together years ago and
> defined one. There are some other companies that support it but it seems
> like it is hard to get the word out there with a “standard” offered by
> commercial app vendors.
>
​I can't find any information about this native format.​ And even if there
is a native format, that is not the same as having a standard format in the
native data transfer object (IDataObject on Windows, NSPasteboard on Mac).

> If browsers supported MathML rendering and a distinct MathML clipboard
> type and both were defined by the W3C, it would go a long way to
> establishing a standard that matters and it would get adopted widely.
>
> ** **
>
> Paul
>
> ** **
>
> *From:* dch...@google.com [mailto:dch...@google.com] *On Behalf Of *Daniel
> Cheng
> *Sent:* Monday, April 15, 2013 1:56 PM
> *To:* Paul Topping
> *Cc:* Hallvord Reiar Michaelsen Steen; public-webapps@w3.org
>
> *Subject:* Re: MathML and "Clipboard API and events"
>
>  ** **
>
> When I suggested formats that implementations ought to support, I
> specifically mentioned image/svg+xml because it was mostly convertible to
> native types (Windows metafile on Windows, PDF on Mac). I don't think
> anyone's implemented this conversion, but it's technically possible.
>
> ** **
>
> On the other hand, MathML doesn't have a corresponding native equivalent
> on Windows or Mac. You could argue that this is a chicken and egg problem,
> but without any native format equivalents, there's no good way to map that
> data.
>
> ** **
>
> You should still be able to set MathML in the clipboard if you want. It
> just won't be visible to native apps.
>
> ** **
>
> Daniel
>
> ** **
>
> On Mon, Apr 15, 2013 at 8:44 AM, Paul Topping  wrote:***
> *
>
> Hi Halvord,
>
> Yes, your rewording sounds like a good direction to me. I still worry that
> placing plain text on the clipboard along with MathML will result in a lot
> of apps failing to paste the MathML but doing so would probably be
> considered a bug in such an app.
>
> Thanks for filing the bugs. I suspect that the MathML community would be
> eager to help define what needs to get stripped out of MathML to maintain
> security. However, speaking for myself, I do not know what kinds of things
> are considered dangerous. For example, MathML has markup that lets a math
> expression act as a hyperlink. Do we need to strip that out completely or
> is that dependent on the url? If there are guidelines on what is considered
> dangerous, then we could figure out exactly which MathML constructs need to
> be pruned. Or is there some other procedure for getting this done?
>
> Paul
>
>
> > -Original Message-
> > From: Hallvord Reiar Michaelsen Steen [mailto:hallv...@opera.com]
> > Sent: Monday, April 15, 2013 1:50 AM
> > To: public-webapps@w3.org; Paul Topping
> > Subject: Re: MathML and "Clipboard API and events"
> >
>
> > Hi Paul, thanks for your comments.
> >
> > > Mathematical information
> > >
> > > This section says "MathML often needs to be transformed to be
> > > copied as plain text, for example to make sure "to the power of"
> > > is shown with the caret "^" sign in a formula plain-text input."
> > > Such a transformation should not be part of a normal copy operation
> > > since that would transfer MathML. My concern is that readers get the
> > > idea that x 2 should always or often be transformed to x^2.
> >
>

RE: MathML and "Clipboard API and events"

[Paul Topping]

Why would the answer to this question be dictated by the need to convert the 
MathML format to some other “native” format? I just want my app (native or web) 
to be able to identify the clipboard data type so it can consume the data as it 
sees fit. Conversion to some other format is but one thing an app can do with 
data. If apps can’t identify MathML with confidence, they are stuck with ad hoc 
sniffing of any non-specific data types that might contain MathML. I might look 
at the plain text and XML data types to see if they contain “”, for 
example.

In some sense MathML does have a native format on Mac and Windows. Microsoft 
and Design Science (my company) got together years ago and defined one. There 
are some other companies that support it but it seems like it is hard to get 
the word out there with a “standard” offered by commercial app vendors. If 
browsers supported MathML rendering and a distinct MathML clipboard type and 
both were defined by the W3C, it would go a long way to establishing a standard 
that matters and it would get adopted widely.

Paul

From: dch...@google.com [mailto:dch...@google.com] On Behalf Of Daniel Cheng
Sent: Monday, April 15, 2013 1:56 PM
To: Paul Topping
Cc: Hallvord Reiar Michaelsen Steen; public-webapps@w3.org
Subject: Re: MathML and "Clipboard API and events"

When I suggested formats that implementations ought to support, I specifically 
mentioned image/svg+xml because it was mostly convertible to native types 
(Windows metafile on Windows, PDF on Mac). I don't think anyone's implemented 
this conversion, but it's technically possible.

On the other hand, MathML doesn't have a corresponding native equivalent on 
Windows or Mac. You could argue that this is a chicken and egg problem, but 
without any native format equivalents, there's no good way to map that data.

You should still be able to set MathML in the clipboard if you want. It just 
won't be visible to native apps.

Daniel

On Mon, Apr 15, 2013 at 8:44 AM, Paul Topping 
mailto:pa...@dessci.com>> wrote:
Hi Halvord,

Yes, your rewording sounds like a good direction to me. I still worry that 
placing plain text on the clipboard along with MathML will result in a lot of 
apps failing to paste the MathML but doing so would probably be considered a 
bug in such an app.

Thanks for filing the bugs. I suspect that the MathML community would be eager 
to help define what needs to get stripped out of MathML to maintain security. 
However, speaking for myself, I do not know what kinds of things are considered 
dangerous. For example, MathML has markup that lets a math expression act as a 
hyperlink. Do we need to strip that out completely or is that dependent on the 
url? If there are guidelines on what is considered dangerous, then we could 
figure out exactly which MathML constructs need to be pruned. Or is there some 
other procedure for getting this done?

Paul

> -Original Message-
> From: Hallvord Reiar Michaelsen Steen 
> [mailto:hallv...@opera.com<mailto:hallv...@opera.com>]
> Sent: Monday, April 15, 2013 1:50 AM
> To: public-webapps@w3.org<mailto:public-webapps@w3.org>; Paul Topping
> Subject: Re: MathML and "Clipboard API and events"
>
> Hi Paul, thanks for your comments.
>
> > Mathematical information
> >
> > This section says "MathML often needs to be transformed to be
> > copied as plain text, for example to make sure "to the power of"
> > is shown with the caret "^" sign in a formula plain-text input."
> > Such a transformation should not be part of a normal copy operation
> > since that would transfer MathML. My concern is that readers get the
> > idea that x 2 should always or often be transformed to x^2.
>
>
> What about saying something like
>
>
> "Some applications may want to place plain text alternatives along with
> MathML formulas on he clipboard, for example to make sure .." ?
>
>
> >  10.  Mandatory data types
> >
> > I am surprised not to see a MathML type in this list
>
>
> Well, since you mention it.. I've filed a bug (
> https://www.w3.org/Bugs/Public/show_bug.cgi?id=21698 ) in response to
> your question. If you have comments or information please add (either by
> replying here or in the bug). Would be great if you could help me understand
> whether allowing an application to write MathML to the clipboard could
> expose an app to attacks if the MathML markup is pasted without further
> processing - see also
> https://www.w3.org/Bugs/Public/show_bug.cgi?id=21700
>
>
> --
> Hallvord R. M. Steen
> Core tester, Opera Software
>
>
>
>

Re: MathML and "Clipboard API and events"

[Daniel Cheng]

When I suggested formats that implementations ought to support, I
specifically mentioned image/svg+xml because it was mostly convertible to
native types (Windows metafile on Windows, PDF on Mac). I don't think
anyone's implemented this conversion, but it's technically possible.

On the other hand, MathML doesn't have a corresponding native equivalent on
Windows or Mac. You could argue that this is a chicken and egg problem, but
without any native format equivalents, there's no good way to map that data.

You should still be able to set MathML in the clipboard if you want. It
just won't be visible to native apps.

Daniel


On Mon, Apr 15, 2013 at 8:44 AM, Paul Topping  wrote:

> Hi Halvord,
>
> Yes, your rewording sounds like a good direction to me. I still worry that
> placing plain text on the clipboard along with MathML will result in a lot
> of apps failing to paste the MathML but doing so would probably be
> considered a bug in such an app.
>
> Thanks for filing the bugs. I suspect that the MathML community would be
> eager to help define what needs to get stripped out of MathML to maintain
> security. However, speaking for myself, I do not know what kinds of things
> are considered dangerous. For example, MathML has markup that lets a math
> expression act as a hyperlink. Do we need to strip that out completely or
> is that dependent on the url? If there are guidelines on what is considered
> dangerous, then we could figure out exactly which MathML constructs need to
> be pruned. Or is there some other procedure for getting this done?
>
> Paul
>
> > -Original Message-
> > From: Hallvord Reiar Michaelsen Steen [mailto:hallv...@opera.com]
> > Sent: Monday, April 15, 2013 1:50 AM
> > To: public-webapps@w3.org; Paul Topping
> > Subject: Re: MathML and "Clipboard API and events"
> >
> > Hi Paul, thanks for your comments.
> >
> > > Mathematical information
> > >
> > > This section says "MathML often needs to be transformed to be
> > > copied as plain text, for example to make sure "to the power of"
> > > is shown with the caret "^" sign in a formula plain-text input."
> > > Such a transformation should not be part of a normal copy operation
> > > since that would transfer MathML. My concern is that readers get the
> > > idea that x 2 should always or often be transformed to x^2.
> >
> >
> > What about saying something like
> >
> >
> > "Some applications may want to place plain text alternatives along with
> > MathML formulas on he clipboard, for example to make sure .." ?
> >
> >
> > >  10.  Mandatory data types
> > >
> > > I am surprised not to see a MathML type in this list
> >
> >
> > Well, since you mention it.. I've filed a bug (
> > https://www.w3.org/Bugs/Public/show_bug.cgi?id=21698 ) in response to
> > your question. If you have comments or information please add (either by
> > replying here or in the bug). Would be great if you could help me
> understand
> > whether allowing an application to write MathML to the clipboard could
> > expose an app to attacks if the MathML markup is pasted without further
> > processing - see also
> > https://www.w3.org/Bugs/Public/show_bug.cgi?id=21700
> >
> >
> > --
> > Hallvord R. M. Steen
> > Core tester, Opera Software
> >
> >
> >
> >
>
>

RE: MathML and "Clipboard API and events"

[Paul Topping]

Hi Halvord,

Yes, your rewording sounds like a good direction to me. I still worry that 
placing plain text on the clipboard along with MathML will result in a lot of 
apps failing to paste the MathML but doing so would probably be considered a 
bug in such an app.

Thanks for filing the bugs. I suspect that the MathML community would be eager 
to help define what needs to get stripped out of MathML to maintain security. 
However, speaking for myself, I do not know what kinds of things are considered 
dangerous. For example, MathML has markup that lets a math expression act as a 
hyperlink. Do we need to strip that out completely or is that dependent on the 
url? If there are guidelines on what is considered dangerous, then we could 
figure out exactly which MathML constructs need to be pruned. Or is there some 
other procedure for getting this done?

Paul

> -Original Message-
> From: Hallvord Reiar Michaelsen Steen [mailto:hallv...@opera.com]
> Sent: Monday, April 15, 2013 1:50 AM
> To: public-webapps@w3.org; Paul Topping
> Subject: Re: MathML and "Clipboard API and events"
> 
> Hi Paul, thanks for your comments.
> 
> > Mathematical information
> >
> > This section says "MathML often needs to be transformed to be
> > copied as plain text, for example to make sure "to the power of"
> > is shown with the caret "^" sign in a formula plain-text input."
> > Such a transformation should not be part of a normal copy operation
> > since that would transfer MathML. My concern is that readers get the
> > idea that x 2 should always or often be transformed to x^2.
> 
> 
> What about saying something like
> 
> 
> "Some applications may want to place plain text alternatives along with
> MathML formulas on he clipboard, for example to make sure .." ?
> 
> 
> >  10.  Mandatory data types
> >
> > I am surprised not to see a MathML type in this list
> 
> 
> Well, since you mention it.. I've filed a bug (
> https://www.w3.org/Bugs/Public/show_bug.cgi?id=21698 ) in response to
> your question. If you have comments or information please add (either by
> replying here or in the bug). Would be great if you could help me understand
> whether allowing an application to write MathML to the clipboard could
> expose an app to attacks if the MathML markup is pasted without further
> processing - see also
> https://www.w3.org/Bugs/Public/show_bug.cgi?id=21700
> 
> 
> --
> Hallvord R. M. Steen
> Core tester, Opera Software
> 
> 
> 
> 

Re: MathML and "Clipboard API and events"

[Hallvord Reiar Michaelsen Steen]

Hi Paul, thanks for your comments.
 
> Mathematical information
> 
> This section says "MathML often needs to be transformed to be
> copied as plain text, for example to make sure "to the power of"
> is shown with the caret "^" sign in a formula plain-text input."
> Such a transformation should not be part of a normal copy operation
> since that would transfer MathML. My concern is that readers get the
> idea that x 2 should always or often be transformed to x^2.


What about saying something like 


"Some applications may want to place plain text alternatives along with MathML 
formulas on he clipboard, for example to make sure .." ?


>  10.  Mandatory data types
> 
> I am surprised not to see a MathML type in this list


Well, since you mention it.. I've filed a bug ( 
https://www.w3.org/Bugs/Public/show_bug.cgi?id=21698 ) in response to your 
question. If you have comments or information please add (either by replying 
here or in the bug). Would be great if you could help me understand whether 
allowing an application to write MathML to the clipboard could expose an app to 
attacks if the MathML markup is pasted without further processing - see also 
https://www.w3.org/Bugs/Public/show_bug.cgi?id=21700


-- 
Hallvord R. M. Steen
Core tester, Opera Software

Re: MathML and "Clipboard API and events"

[Paul Libbrecht]

Hey Paul,

nice to hear you raise this!

I fully agree it should be possible for some JS code such as MathJax to copy 
MathML to clipboard.
The reason it is not listed as a mandatory data type, I believe, is that I, at 
least, have been unable to demonstrate the zero risk of doing so. 
I believe I have tried, although this spec has been running since quite long 
and things maybe have been changed.

Putting html in the clipboard is a requirement and there's a subtle and 
unspecified (yet) way of "sanitizing" the fragments so that it does not 
represent a risk when inserted in another context. Recent discussions have 
emerged about this. All of the browsers which implement html-copying have their 
own implementation.

Doing the same for MathML, e.g. removing maction, or, at least, any 
html-sensitive things should be needed. I do not know it is done.

Halvord Steen, the editor of this spec, and others might correct me but I 
interpret that this is the reason it is not in the required types.

I would be happy if we can formulate such a thing in a convincing way.

Paul




> 10. Mandatory data types
>  
> I am surprised not to see a MathML type in this list. I suppose MathML could 
> be typed as application/xml but SVG gets its own image/svg+xml type so I 
> would expect MathML to be treated in an analogous manner. I will admit to not 
> knowing the ramifications of this.
>  
> I also want to mention MathJax (www.mathjax.org). MathJax is an open source 
> JavaScript engine for rendering MathML and LaTeX in browsers. It could be 
> looked at as a polyfill for the current lack of good browser support for 
> MathML. However, it also has its own UI and processes LaTeX so it will 
> definitely have a place even after browsers routinely render MathML.
>  
> I mention MathJax here as it is a good use case for the clipboard API. It 
> transforms MathML or LaTeX in the web page to a chunk of renderable HTML, 
> CSS, SVG, or even MathML if the browser supports it natively. The user would 
> like to be able to select, cut, copy, and paste a mathematical expression 
> rendered this way as if it was a single object. It sounds like MathJax should 
> be able to do this using this clipboard API, though it does not address the 
> selection aspect. Taking this a step further, someday we might hope to allow 
> the user to select sub-expressions of a mathematical equation for the purpose 
> of cut and copy.
>  
> Paul Topping
> Design Science, Inc.

RE: MathML and "Clipboard API and events"

[Paul Topping]

As to the lack of a MathML clipboard data type, I worry that this will make the 
copy ambiguous. We already see that in some desktop apps where some kind of 
Paste Special is needed.

Speaking of Paste Special, I didn't see that mentioned. It would be really nice 
to be able to easily implement special kinds of paste in web apps. I am sure 
there are many, many use cases for Paste Special but for math it might be used 
to paste alternative forms of the math, such as LaTeX, ASCII math, or literal 
MathML code (useful when documenting MathML itself). Perhaps it could also 
provide conversions to computational forms, such as a spreadsheet formulae. Of 
course, I am not sure this clipboard spec prevents any of this or even plays a 
role in it.

Surely such sanitization would be easy to specify and implement. It would not 
bother me if all mactions were removed in the MathML to be copied. That may be 
too drastic though. I would assume that the HTML sanitization folks have 
guidelines as to what kinds of things need to be removed. With such guidelines 
in hand, I doubt that the MathML community would have much trouble specifying 
the necessary filter for MathML.

Paul

> -Original Message-
> From: Paul Libbrecht [mailto:p...@hoplahup.net]
> Sent: Friday, April 12, 2013 1:19 PM
> To: Paul Topping
> Cc: public-webapps@w3.org
> Subject: Re: MathML and "Clipboard API and events"
> 
> Hey Paul,
> 
> nice to hear you raise this!
> 
> I fully agree it should be possible for some JS code such as MathJax to copy
> MathML to clipboard.
> The reason it is not listed as a mandatory data type, I believe, is that I, at
> least, have been unable to demonstrate the zero risk of doing so.
> I believe I have tried, although this spec has been running since quite long
> and things maybe have been changed.
> 
> Putting html in the clipboard is a requirement and there's a subtle and
> unspecified (yet) way of "sanitizing" the fragments so that it does not
> represent a risk when inserted in another context. Recent discussions have
> emerged about this. All of the browsers which implement html-copying have
> their own implementation.
> 
> Doing the same for MathML, e.g. removing maction, or, at least, any html-
> sensitive things should be needed. I do not know it is done.
> 
> Halvord Steen, the editor of this spec, and others might correct me but I
> interpret that this is the reason it is not in the required types.
> 
> I would be happy if we can formulate such a thing in a convincing way.
> 
> Paul
> 
> 
> 
> 
> > 10. Mandatory data types
> >
> > I am surprised not to see a MathML type in this list. I suppose MathML
> could be typed as application/xml but SVG gets its own image/svg+xml type
> so I would expect MathML to be treated in an analogous manner. I will admit
> to not knowing the ramifications of this.
> >
> > I also want to mention MathJax (www.mathjax.org). MathJax is an open
> source JavaScript engine for rendering MathML and LaTeX in browsers. It
> could be looked at as a polyfill for the current lack of good browser support
> for MathML. However, it also has its own UI and processes LaTeX so it will
> definitely have a place even after browsers routinely render MathML.
> >
> > I mention MathJax here as it is a good use case for the clipboard API. It
> transforms MathML or LaTeX in the web page to a chunk of renderable
> HTML, CSS, SVG, or even MathML if the browser supports it natively. The
> user would like to be able to select, cut, copy, and paste a mathematical
> expression rendered this way as if it was a single object. It sounds like
> MathJax should be able to do this using this clipboard API, though it does not
> address the selection aspect. Taking this a step further, someday we might
> hope to allow the user to select sub-expressions of a mathematical equation
> for the purpose of cut and copy.
> >
> > Paul Topping
> > Design Science, Inc.

MathML and "Clipboard API and events"

[Paul Topping]

Hi,



I was just reading this document 
(http://www.w3.org/TR/2013/WD-clipboard-apis-20130411/). My company has been 
heavily involved in MathML since its creation. We are obviously interested in 
clipboard APIs since we want to be able to copy, cut, and paste mathematics 
to/from web apps. I have a few comments.



Mathematical information



This section says "MathML often needs to be transformed to be copied as plain 
text, for example to make sure "to the power of" is shown with the caret "^" 
sign in a formula plain-text input." Such a transformation should not be part 
of a normal copy operation since that would transfer MathML. My concern is that 
readers get the idea that x2 should always or often be transformed to x^2. If 
such a conversion is done by default, it risks interfering with the transfer of 
MathML. People have gotten so used to typing math with such constructs as x^2 
that there is a tendency to think that is how math should be represented and 
rendered. Of course, a web app or even a browser might give the user the option 
of copying math as this sort of "ASCII math". With the inclusion of MathML in 
HTML5, we finally have reason to hope that math notation may be treated as a 
first class citizen in the web world "real soon now".



10. Mandatory data types



I am surprised not to see a MathML type in this list. I suppose MathML could be 
typed as application/xml but SVG gets its own image/svg+xml type so I would 
expect MathML to be treated in an analogous manner. I will admit to not knowing 
the ramifications of this.



I also want to mention MathJax (www.mathjax.org). 
MathJax is an open source JavaScript engine for rendering MathML and LaTeX in 
browsers. It could be looked at as a polyfill for the current lack of good 
browser support for MathML. However, it also has its own UI and processes LaTeX 
so it will definitely have a place even after browsers routinely render MathML.



I mention MathJax here as it is a good use case for the clipboard API. It 
transforms MathML or LaTeX in the web page to a chunk of renderable HTML, CSS, 
SVG, or even MathML if the browser supports it natively. The user would like to 
be able to select, cut, copy, and paste a mathematical expression rendered this 
way as if it was a single object. It sounds like MathJax should be able to do 
this using this clipboard API, though it does not address the selection aspect. 
Taking this a step further, someday we might hope to allow the user to select 
sub-expressions of a mathematical equation for the purpose of cut and copy.



Paul Topping

Design Science, Inc.