Is pasted HTML guaranteed to be sanitized?

Question

I have a content editable div:

<div contenteditable="true"></div>

HTML can be pasted into that div. Is the HTML guaranteed not to have script tags or event handler attributes, etc.?

I have not found a source, but I am guessing that all browsers strip scripts. Otherwise, it seems very open to phishing-style user XSS: "see dancing ponies, by pasting this into Gmail..."

---

Edit: For example, Chrome strips the <script> element if you copy and paste with the following:

div {
  border: 1px solid black;
}

Copy this:
<div>
  <b>Stack</b> <i>Overflow</i>
  <br>
  <script>
    if(document.querySelectorAll('div[contenteditable=true]').length) {
      alert('Hacked!');
    }
  </script>
  <img src="http://blog.stackoverflow.com/wp-content/uploads/stackoverflow-logo-300.png">
</div>
<br>
<br>
Into this: (if you see a `Hacked!` alert, the script was not stripped)
<div contenteditable="true"></div>

Is this a guaranteed behavior? Or do I have to do something special to prevent XSS?

Answer 1

Short answer: no, pasted HTML is not guaranteed to do not contain script tags and other forms of script embedding.

contenteditable is not a ready to use WYSIWYG editor but rather a mechanism to make editor on top of it. So don't expect pasted content filtering in it. That's responsibility of code on top of contenteditable to filter scripts, MS Word stuff, Apple richtext traces, etc.

Even more: HTML clipboard format is not specified anywhere. Each platform uses its own. E.g. Windows uses CF_HTML, OS X has its own that is not specified anywhere AFAIK, etc.