Update v1.0.6

public/filemanager/scripts/zeroclipboard/docs/security.md

@@ -0,0 +1,32 @@
+# Security
+
+We try our best to keep ZeroClipboard secure but there are some rules that you should consider following to keep your site safe.
+
+
+## Existing Configuration
+
+For the existing configuration options available for security, see [Configuration Options](api/ZeroClipboard.md#configuration-options).
+
+
+## Rules
+
+Basically, if an attacker gets access to the main window/global object via an XSS exploit, it's pretty much an instant "GAME OVER" unless **ALL** of the following are true:
+ 1. The `ZeroClipboard` object itself is not globally accessible.
+ 2. The `ZeroClipboard.prototype` object itself is not globally accessible.
+ 3. No `ZeroClipboard` instances are globally accessible.
+ 4. No callback functions for dispatched ZeroClipboard events are globally accessible.
+ 5. If a variable is used to set the path to the SWF via `ZeroClipboard.config`, that variable must not be globally accessible.
+ 6. The DOM is not accessible (due to built-in support for `data-clipboard-text` and `data-clipboard-target` attributes).
+
+ 
+## Examples
+
+ 1. Having `ZeroClipboard` instances globally accessible (versus encapsulated in a closure). This allows an attacker to manually call a client's `setText` method and inject their own text.
+ 2. As with all globally accessible functions in JavaScript, any globally accessible callback functions (hooked to events) can be overridden by an attacker. This isn't terribly dangerous but could be annoying.
+ 3. Overriding any of the `ZeroClipboard` or `ZeroClipboard.prototype` properties or methods, if globally accessible.
+ 4. Adding `data-clipboard-text` or `data-clipboard-target` attributes to every element in the DOM.
+
+ 
+### Responsible Disclosure
+
+If you find any security holes that you believe can be patched, please submit a pull request or file an issue. We will be very appreciative!