On Wed, May 19, 2010 at 5:35 AM, Ojan Vafai <span dir="ltr"><<a href="mailto:firstname.lastname@example.org">email@example.com</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
The webkit behavior of allowing all scripts makes the most sense to me. It should be possible to disable scripts, but that capability shouldn't be tied to editability. The clean solution for the CKEditor developer is to use a sandboxed iframe.
<div><br></div><div>I don't see a security benefit for disabling script as you'd have all the same issues with loading any user-content in a non-editable area. The only catch is that you *do* need to disable script from pasted and drag-dropped content (see <a href="http://trac.webkit.org/changeset/53442" target="_blank">http://trac.webkit.org/changeset/53442</a>). Basically, any site serving user-content will already need to mitigate XSS some other way, so disabling script in editable areas is not necessary, but paste/drag-drop can't reasonably rely on server-side solutions, so must be done by the UA.</div>
</blockquote><div> </div></div>That makes sense to me. I'll see what the other editor developers think.<br><br clear="all">Rob<br>-- <br>"He was pierced for our transgressions, he was crushed for our iniquities; the punishment that brought us peace was upon him, and by his wounds we are healed. We all, like sheep, have gone astray, each of us has turned to his own way; and the LORD has laid on him the iniquity of us all." [Isaiah 53:5-6]<br>