[whatwg] Exposing spelling/grammar suggestions in contentEditable

Charles Pritchard chuck at jumis.com
Mon Nov 29 09:53:23 PST 2010

On 11/29/2010 1:49 AM, timeless wrote:
> On Mon, Nov 29, 2010 at 5:57 AM, Charles Pritchard<chuck at jumis.com>  wrote:
>> A method for triggering a system/ua spell check via execCommand
>> would be a small step forward. Is that something already available?
>>   Afaik, it was canned from the early MS model.
> Bringing up system dialogs is scary/surprising and could be annoying[1].
> I'm waiting for the day when a security vulnerability is reported for
> a system spellchecker. -- And don't laugh, the open source spell
> checkers we've used have some really crummy code w/ a rather poor
> track record when it comes to buffers and inputs. Thankfully so far
> most attacks against them have been by dictionary vendors instead of
> users, but...
> [1] we still get bugs from people complaining about while(1)alert("boo");

I'm not laughing: using the 'Help' menu in old Windows (what was that, 
98?) to into explorer.exe was one of my favorite security holes. I don't 
think it's unreasonable to expect that spell checkers would be 
distributed within the browser. But I don't want to add on additional 
burdens to UA designers either. I don't think it's reasonable to play 
for system spell checkers to be exploited; if it's being tossed to the 
OS, then it really is an OS responsibility. If there is an exploit via a 
buffer overflow on a string/unicode pattern, it's quite possible that an 
existing spell checker would fail within the existing scheme.

Regarding while(1) alert("boo") -- I really like how the "Ignore further 
notifications from this page" option evolved to solve that issue. Spell 
checkers have something similar that people are used to: "Ignore all".

With the system dialog: Isn't the point here, to maintain consistency 
with the OS? Using an OS-level spell check dialog would do that.

It's not my favorite solution, but I'd like to find some way to inch 
forward (giving up on taking full steps).

More information about the whatwg mailing list