Case ce-0075 · Scenario scenario-xss-protection

XSS protection may interfere with contenteditable HTML insertion

OS: Windows 11 Device: Desktop or Laptop Any Browser: Edge 120.0 Keyboard: US Status: draft
xss security edge windows

Phenomenon

Browser XSS protection mechanisms may interfere with programmatic HTML insertion in contenteditable elements. Script tags or event handlers inserted via innerHTML or similar methods may be stripped or sanitized.

Reproduction example

  1. Create a contenteditable div.
  2. Try to insert HTML with script tags or event handlers programmatically.
  3. Observe whether the HTML is inserted as-is or sanitized.
  4. Check if script execution is blocked.

Observed behavior

  • In Edge on Windows, XSS protection may strip script tags from inserted HTML.
  • Event handlers may be removed from attributes.
  • Some HTML may be sanitized automatically.
  • Behavior may differ from standard DOM manipulation.

Expected behavior

  • XSS protection should work transparently.
  • Or, there should be clear documentation on what is allowed.
  • Sanitization should be consistent and predictable.

Playground for this case

Use the reported environment as a reference and record what happens in your environment while interacting with the editable area.

Reported environment
OS: Windows 11
Device: Desktop or Laptop Any
Browser: Edge 120.0
Keyboard: US
Your environment

Use this editable area to reproduce the described case.

Event log
Use this log together with the case description when filing or updating an issue.
0 events
Interact with the editable area to see events here.