I have read the somewhat related question div contenteditable, XSS, but its answers do not highlight much about the XSS saftey of contenteditable. In particular with regards to accidental (as compared to intential cross-site-scripting). I am, of course, aware that I should sanitize user input server-side.

TL.DR.: Can I be certain that the user does not stand risk to introduce some external script(i.e. via data pasted from the clipboard) via a page Element being set contenteditable? Does the spec make certain that any markup pasted to the contenteditable is sanitized before being inserted into the DOM?

I have noticed that on two major Browsers I tested, Chromium/Chrome and Firefox, that it seems to be impossible to accidentally insert an active Elements into the contenteditable tag. An example for such an accedental insertion I would have imagined to be for instance:

• user copies a Selection of DOM Elements from one webpage and inserts them into the contenteditable Element on another site.
• user does (on linux command line) echo "<b onclick='alert("XSS");'>click me</b>" | xclip -t text/html -selection "clipboard" and pastes that into the contenteditable.

An active element would be anything like:

• html markup containing a <script>
• html markup containing elements with inline handlers such as onclick="alert(\"XSS\");"
• html markup containing javascript hrefs such as <a href="javascript:alert(\"XSS\")"> click me </a>

Now my question is, seeing that contenteditable seems somewhat safe from having any normal XSS vector being pasted into, if that is by design?

I have read some specs/refs/whatever where it does neither explicitly mention that contenteditable should prevent any active Element being inserted into the DOM of the page, neither that it would be allowed. This leaves me in doubt if I should use the contenteditable feature, as I do not want to risk some external javascript being inserted into contenteditable. Answer this XSS safety of contenteditable is the core of this question.

Update In contrast to the contenteditable attribute the similar feature documents designMode, seems to be specific (see https://www.w3.org/TR/2008/WD-html5-20080610/web-browsers.html#designModeScriptBlocked) about the javascript being disabled (hence XSS prevented).

UPDATE 2 The most recent reference/spec cited on MDN is https://html.spec.whatwg.org/multipage/interaction.html#contenteditable which is oddly indifferent about any guarantees that contenteditable provides to not introduce malicous javascript via paste.