Contact emails
securit...@google.com

Explainer
https://github.com/whatwg/html/issues/6235


Specification
https://github.com/whatwg/html/issues/6235


Summary

Escape "<" and ">" in values of attributes on serialization. This mitigates the 
risk of mutation XSS attacks, which occur when value of an attribute is 
interpreted as a start tag token after being serialized and re-parsed.



Blink component
Blink>HTML>Parser


TAG review
Details are shared on https://github.com/whatwg/html/issues/6235. The change 
was tested with Finch, ending on 10% of Stable. No web compat risks were 
observed. The only signal we got was that it broke a unit/e2e test which 
checked the exact content of HTML generated by Chromium.


TAG review status
Not applicable


Risks




Interoperability and Compatibility

None


Gecko: Positive (https://github.com/mozilla/standards-positions/issues/1209)

WebKit: Positive (https://github.com/WebKit/WebKit/pull/44842)

Web developers: No signals

Other signals:


WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it 
has potentially high risk for Android WebView-based applications?

None




Debuggability

None



Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, 
ChromeOS, Android, and Android WebView)?
No


Is this feature fully tested by web-platform-tests?
Yes


Flag name on about://flags
enable-experimental-web-platform-features


Finch feature name
EscapeLtGtInAttributes


Rollout plan
Will ship enabled for all users


Requires code in //chrome?
False


Estimated milestones

No milestones specified



Anticipated spec changes

Open questions about a feature may be a source of future web compat or interop 
issues. Please list open issues (eg links to known github issues in the project 
for the feature specification) whose resolution may introduce web 
compat/interop risk (eg, changing to naming or structure of the API in a 
non-backward-compatible way).
None


Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/6264983847174144?gate=5114900925644800


This intent message was generated by Chrome Platform Status.

-- 
You received this message because you are subscribed to the Google Groups 
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to blink-dev+unsubscr...@chromium.org.
To view this discussion visit 
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/681dc854.170a0220.17d3dd.0198.GAE%40google.com.

Reply via email to