XSS protection may interfere with contenteditable HTML insertion

OS: Windows 11 Gerät: Desktop or Laptop Any Browser: Edge 120.0 Tastatur: US Entwurf

xsssecurityedgewindows

Diese Seite wurde noch nicht übersetzt

Derzeit wird der englische Originalinhalt angezeigt. Wir freuen uns über Ihre Hilfe bei der Übersetzung.

Bei der Übersetzung helfen Englisches Original ansehen

Phenomenon

Browser XSS protection mechanisms may interfere with programmatic HTML insertion in contenteditable elements. Script tags or event handlers inserted via innerHTML or similar methods may be stripped or sanitized.

Reproduction example

Create a contenteditable div.
Try to insert HTML with script tags or event handlers programmatically.
Observe whether the HTML is inserted as-is or sanitized.
Check if script execution is blocked.

Observed behavior

In Edge on Windows, XSS protection may strip script tags from inserted HTML.
Event handlers may be removed from attributes.
Some HTML may be sanitized automatically.
Behavior may differ from standard DOM manipulation.

Expected behavior

XSS protection should work transparently.
Or, there should be clear documentation on what is allowed.
Sanitization should be consistent and predictable.

Playground for this case

Use the reported environment as a reference and record what happens in your environment while interacting with the editable area.

Reported environment

OS: Windows 11

Device: Desktop or Laptop Any

Browser: Edge 120.0

Keyboard: US

Your environment

OSDeviceBrowserKeyboard

Use this editable area to reproduce the described case.

Event log

Use this log together with the case description when filing or updating an issue.

0 events

Interact with the editable area to see events here.