This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
Browsers allow the user to drag and drop HTML snippets within contenteditable regions. Ryosuke requested (via private e-mail a couple of months ago) that this be required, along with saying exactly what gets deleted/inserted when the user does this.
http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsTreeSanitizer.cpp is of interest here. (It doesn't behave nicely when Microdata is included on dangerous elements like 'object'.)