Is HTML5's contenteditable attribute supposed to be XSS safe?
I have read the somewhat related question div contenteditable, XSS, but its answers do not highlight much about the XSS saftey of contenteditable. In particular with regards to accidental (as compared to intential cross-site-scripting). I am, of course, aware that I should sanitize user input server-side.
TL.DR.: Can I be certain that the user does not stand risk to introduce some external script(i.e. via data pasted from the clipboard) via a page Element being set
contenteditable? Does the spec make certain that any markup pasted to the contenteditable is sanitized before being inserted into the DOM?
I have noticed that on two major Browsers I tested, Chromium/Chrome and Firefox, that it seems to be impossible to accidentally insert an active Elements into the
contenteditable tag. An example for such an accedental insertion I would have imagined to be for instance:
- user copies a Selection of DOM Elements from one webpage and inserts them into the
contenteditableElement on another site.
- user does (on linux command line)
echo "<b onclick='alert("XSS");'>click me</b>" | xclip -t text/html -selection "clipboard"and pastes that into the
An active element would be anything like:
- html markup containing a
- html markup containing elements with inline handlers such as
Now my question is, seeing that contenteditable seems somewhat safe from having any normal XSS vector being pasted into, if that is by design?
I have read some specs/refs/whatever where it does neither explicitly mention that
contenteditable. Answer this XSS safety of
contenteditable is the core of this question.
In contrast to the
contenteditable attribute the similar feature documents
The most recent reference/spec cited on MDN is https://html.spec.whatwg.org/multipage/interaction.html#contenteditable
which is oddly indifferent about any guarantees that
There is no standard which browsers must adhere to, so each browser will have its own implementation for handling user input. And if there is a way, you can be sure users will figure out how to do it (older browsers are usually the most susceptible). It's up to you to sanitize the user's input, whether it be from typing, pasting, etc. (I had to do this for a project, there's no way you can rely on it "just working").
As for designMode, the part you linked:
When a script is to be executed in a script execution context in which scripting is disabled, the script must do nothing and return nothing (a void return value).
Thus, for instance, enabling designMode will disable any event handler attributes, event listeners, timeouts, etc, that were set by scripts in the document.
This would make it appear designMode makes you "safe", but remember, specifications evolved over time, so without going back and testing all of the various browsers (or at least the ones your users have), you can never be sure.作者: skyline3000 发布者: 2017 年 12 月 27 日