Is HTML5's contenteditable attribute supposed to be XSS safe?

javascript html5 xss contenteditable sanitization

537 观看


1947 作者的声誉

I have read the somewhat related question div contenteditable, XSS, but its answers do not highlight much about the XSS saftey of contenteditable. In particular with regards to accidental (as compared to intential cross-site-scripting). I am, of course, aware that I should sanitize user input server-side.

TL.DR.: Can I be certain that the user does not stand risk to introduce some external script(i.e. via data pasted from the clipboard) via a page Element being set contenteditable? Does the spec make certain that any markup pasted to the contenteditable is sanitized before being inserted into the DOM?

I have noticed that on two major Browsers I tested, Chromium/Chrome and Firefox, that it seems to be impossible to accidentally insert an active Elements into the contenteditable tag. An example for such an accedental insertion I would have imagined to be for instance:

  • user copies a Selection of DOM Elements from one webpage and inserts them into the contenteditable Element on another site.
  • user does (on linux command line) echo "<b onclick='alert("XSS");'>click me</b>" | xclip -t text/html -selection "clipboard" and pastes that into the contenteditable.

An active element would be anything like:

  • html markup containing a <script>
  • html markup containing elements with inline handlers such as onclick="alert(\"XSS\");"
  • html markup containing javascript hrefs such as <a href="javascript:alert(\"XSS\")"> click me </a>

Now my question is, seeing that contenteditable seems somewhat safe from having any normal XSS vector being pasted into, if that is by design?

I have read some specs/refs/whatever where it does neither explicitly mention that contenteditable should prevent any active Element being inserted into the DOM of the page, neither that it would be allowed. This leaves me in doubt if I should use the contenteditable feature, as I do not want to risk some external javascript being inserted into contenteditable. Answer this XSS safety of contenteditable is the core of this question.

Update In contrast to the contenteditable attribute the similar feature documents designMode, seems to be specific (see about the javascript being disabled (hence XSS prevented).

UPDATE 2 The most recent reference/spec cited on MDN is which is oddly indifferent about any guarantees that contenteditable provides to not introduce malicous javascript via paste.

作者: humanityANDpeace 的来源 发布者: 2017 年 12 月 27 日

回应 1


6109 作者的声誉

There is no standard which browsers must adhere to, so each browser will have its own implementation for handling user input. And if there is a way, you can be sure users will figure out how to do it (older browsers are usually the most susceptible). It's up to you to sanitize the user's input, whether it be from typing, pasting, etc. (I had to do this for a project, there's no way you can rely on it "just working").

As for designMode, the part you linked:

When a script is to be executed in a script execution context in which scripting is disabled, the script must do nothing and return nothing (a void return value).

Thus, for instance, enabling designMode will disable any event handler attributes, event listeners, timeouts, etc, that were set by scripts in the document.

This would make it appear designMode makes you "safe", but remember, specifications evolved over time, so without going back and testing all of the various browsers (or at least the ones your users have), you can never be sure.

作者: skyline3000 发布者: 2017 年 12 月 27 日