Given that Firefox has implemented this (Nightly-only
<https://bugzilla.mozilla.org/show_bug.cgi?id=1941347>), as well as
Safari (not landed yet? <https://github.com/WebKit/WebKit/pull/44842>),
do we know why https://github.com/whatwg/html/pull/6362 hasn't been
merged yet?
On 5/12/25 11:23 AM, 'Alison Maher' via blink-dev wrote:
Out of curiosity, which platforms will this not be supported on, and why?
Thanks,
Alison
On Friday, May 9, 2025 at 2:18:27 AM UTC-7 Chromestatus wrote:
Contact emails
secur...@google.com
Explainer
https://github.com/whatwg/html/issues/6235
Specification
https://github.com/whatwg/html/issues/6235
Summary
Escape "<" and ">" in values of attributes on serialization. This
mitigates the risk of mutation XSS attacks, which occur when value
of an attribute is interpreted as a start tag token after being
serialized and re-parsed.
Blink component
Blink>HTML>Parser
<https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3EHTML%3EParser%22>
TAG review
Details are shared on https://github.com/whatwg/html/issues/6235.
The change was tested with Finch, ending on 10% of Stable. No web
compat risks were observed. The only signal we got was that it
broke a unit/e2e test which checked the exact content of HTML
generated by Chromium.
TAG review status
Not applicable
Risks
Interoperability and Compatibility
None
/Gecko/: Positive
(https://github.com/mozilla/standards-positions/issues/1209)
/WebKit/: Positive (https://github.com/WebKit/WebKit/pull/44842)
/Web developers/: No signals
/Other signals/:
WebView application risks
Does this intent deprecate or change behavior of existing APIs,
such that it has potentially high risk for Android WebView-based
applications?
None
Debuggability
None
Will this feature be supported on all six Blink platforms
(Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?
No
Is this feature fully tested by web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?
Yes
Flag name on about://flags
enable-experimental-web-platform-features
Finch feature name
EscapeLtGtInAttributes
Rollout plan
Will ship enabled for all users
Requires code in //chrome?
False
Estimated milestones
No milestones specified
Anticipated spec changes
Open questions about a feature may be a source of future web
compat or interop issues. Please list open issues (e.g. links to
known github issues in the project for the feature specification)
whose resolution may introduce web compat/interop risk (e.g.,
changing to naming or structure of the API in a
non-backward-compatible way).
None
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/6264983847174144?gate=5114900925644800
This intent message was generated by Chrome Platform Status
<https://chromestatus.com>.
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to blink-dev+unsubscr...@chromium.org.
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/dd6c80a5-98bc-40a3-a1c4-681e63e32cedn%40chromium.org
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/dd6c80a5-98bc-40a3-a1c4-681e63e32cedn%40chromium.org?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to blink-dev+unsubscr...@chromium.org.
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/2074a214-37a0-4b44-a9e9-4414a4bdcb17%40chromium.org.
