Out of curiosity, which platforms will this not be supported on, and why? Thanks, Alison
On Friday, May 9, 2025 at 2:18:27 AM UTC-7 Chromestatus wrote: > Contact emails secur...@google.com > > Explainer https://github.com/whatwg/html/issues/6235 > > Specification https://github.com/whatwg/html/issues/6235 > > Summary > > Escape "<" and ">" in values of attributes on serialization. This > mitigates the risk of mutation XSS attacks, which occur when value of an > attribute is interpreted as a start tag token after being serialized and > re-parsed. > > > Blink component Blink>HTML>Parser > <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3EHTML%3EParser%22> > > > TAG review Details are shared on > https://github.com/whatwg/html/issues/6235. The change was tested with > Finch, ending on 10% of Stable. No web compat risks were observed. The only > signal we got was that it broke a unit/e2e test which checked the exact > content of HTML generated by Chromium. > > TAG review status Not applicable > > Risks > > > Interoperability and Compatibility > > None > > > *Gecko*: Positive ( > https://github.com/mozilla/standards-positions/issues/1209) > > *WebKit*: Positive (https://github.com/WebKit/WebKit/pull/44842) > > *Web developers*: No signals > > *Other signals*: > > WebView application risks > > Does this intent deprecate or change behavior of existing APIs, such that > it has potentially high risk for Android WebView-based applications? > > None > > > Debuggability > > None > > > Will this feature be supported on all six Blink platforms (Windows, Mac, > Linux, ChromeOS, Android, and Android WebView)? No > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> > ? Yes > > Flag name on about://flags enable-experimental-web-platform-features > > Finch feature name EscapeLtGtInAttributes > > Rollout plan Will ship enabled for all users > > Requires code in //chrome? False > > Estimated milestones > > No milestones specified > > > Anticipated spec changes > > Open questions about a feature may be a source of future web compat or > interop issues. Please list open issues (e.g. links to known github issues > in the project for the feature specification) whose resolution may > introduce web compat/interop risk (e.g., changing to naming or structure of > the API in a non-backward-compatible way). > None > > Link to entry on the Chrome Platform Status > https://chromestatus.com/feature/6264983847174144?gate=5114900925644800 > > This intent message was generated by Chrome Platform Status > <https://chromestatus.com>. > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/dd6c80a5-98bc-40a3-a1c4-681e63e32cedn%40chromium.org.
