XSS protection may interfere with contenteditable HTML insertion
OS: Windows 11 · Device: Desktop or Laptop Any · Browser: Edge 120.0 · Keyboard: US
Open case →Scenario
XSS protection may interfere with contenteditable HTML insertion
Browser XSS protection mechanisms may interfere with programmatic HTML insertion in contenteditable elements. Script tags or event handlers inserted via innerHTML or similar methods may be stripped or sanitized.
other
Scenario ID
scenario-xss-protection
Details
Browser XSS protection mechanisms may interfere with programmatic HTML insertion in contenteditable elements. Script tags or event handlers inserted via innerHTML or similar methods may be stripped or sanitized.
References
- MDN: XSS Attacks - XSS protection overview
- MDN: Element.setHTMLUnsafe - Unsafe HTML insertion
- MDN: HTML Sanitizer API - Sanitization API
- Wikipedia: HTML sanitization - Sanitization concepts
- CVE-2025-29771: @jitbit/htmlsanitizer XSS vulnerability - Contenteditable sanitization bypass
- GitLab Advisories: @jitbit/htmlsanitizer CVE - Vulnerability details
- XJavaScript: Can scripts be inserted with innerHTML? - Script execution behavior
Scenario flow
Visual view of how this scenario connects to its concrete cases and environments. Nodes can be dragged and clicked.
Variants
Each row is a concrete case for this scenario, with a dedicated document and playground.
| Case | OS | Device | Browser | Keyboard | Status |
|---|---|---|---|---|---|
| ce-0075-contenteditable-with-xss-protection | Windows 11 | Desktop or Laptop Any | Edge 120.0 | US | draft |
Cases
Open a case to see the detailed description and its dedicated playground.
Related Scenarios
Other scenarios that share similar tags or category.
Tags: security, windows
Content Security Policy may restrict contenteditable behavior
When a page has a strict Content Security Policy (CSP), certain contenteditable operations may be restricted. Pasting content, executing scripts, or inserting HTML may be blocked depending on the CSP directives.
1 case
Tags: edge, windows
CSS transform may cause selection handles to appear in wrong position
When a contenteditable element has CSS transforms applied (translate, scale, rotate), the selection handles and caret may appear in incorrect positions. The visual position may not match the actual selection position.
1 case
Tags: windows
autofocus attribute does not work on contenteditable
The autofocus attribute, which automatically focuses form inputs on page load, does not work on contenteditable elements. There is no built-in way to automatically focus a contenteditable region when a page loads.
1 case
Tags: edge
contenteditable behavior differs when inside an iframe
When a contenteditable region is inside an iframe, its behavior may differ from when it's in the main document. Selection, focus, and event handling may be inconsistent.
1 case
Tags: windows
contenteditable inheritance behavior is inconsistent
When a parent element has contenteditable="true" and a child element has contenteditable="false", the inheritance behavior is inconsistent across browsers. Some browsers allow editing in the child, while others correctly prevent it. The behavior may also differ when the child has contenteditable="inherit" or no contenteditable attribute.
1 case
Comments & Discussion
Have questions, suggestions, or want to share your experience? Join the discussion below.