Risk of using contentEditable in IE
We have to add a basic HTML editor to our product. As we only support IE at present (most customers are still on IE 6), I have been told to use the Internet Explorer built-in XHTML editing capabilities – e.g.
<div contentEditable="true"> as explained at “Editing a Web Page” .
Apart from not working in other browsers. (The management does not consider it being a problem. Our customers will put up with our software only working with IE. We have never lost any money by our software only working in IE; most customers will only let their staff use IE6 at present anyway)
What other problem are we likely to get with contentEditable?
The HTML editor I wrote with “contentEditable” proved to very hard to get reliable, with many problems. If I had to do this again, I would push very hard to one of the many open source solutions (e.g. TinyMCE) or buy in a supported HTML editor.
No doubt that a very skilled jscript programmer can get “contentEditable” to work well given enough time. It just that all the examples on the web looks so simple, until you test common operations like doing a cut/paste from word and trying to edit the resulting HTML. (just the sort of things a customer will do)
(Just search for “contentEditable” on stackoverflow to get some ideal of the problems other people have had)
The contentEditable property works in Safari, Firefox 3, and Opera 9.
Since manipulation will undoubtably be through selections, your biggest problem will be getting the selection/ranges working across browsers (see here).
There are also numerous little bugs across browsers which may or may not bite you. These include incompatible case-sensitivity, incompatible methods of turning it off again (removeAttribute vs. setting to false).
Despite these flaws, I find it works rather well.
How about using some open-source solution that works in all major browsers?
There are other projects as well, but that’s what I’d use.
HTML 5 include the contenteditable attribute, so it looks like it will be in IE for a long time to come.
Just got a email from someone on the IE team
While it’s basically impossible to
comment on the future with a high
degree of confidence, it’s fair to say
that I’m not aware of any plans to
remove contentEditable, and if it were
removed, it would break a LOT of
contentEditable works under Firefox 3.
I don’t know of any problems with contentEditable.
I would just be sure to check what content you get back as inserting XSS attacks are quite easy in IE if there is no validation of the HTML content added.