Out of curiosity, which platforms will this not be supported on, and why?
Sorry, I put the wrong value there -- it will be supported on all platforms. Given that Firefox has implemented this (Nightly-only), as well as Safari (not landed yet?), do we know why https://github.com/whatwg/html/pull/6362 hasn't been merged yet? Anne left a comment: "We should probably hold off until Chromium has actually deployed this?" so I think that's the reason. Thanks, Alison On Friday, May 9, 2025 at 2:18:27 AM UTC-7 Chromestatus wrote: Contact emails secur...@google.com Explainer https://github.com/whatwg/html/issues/6235 Specification https://github.com/whatwg/html/issues/6235 Summary Escape "<" and ">" in values of attributes on serialization. This mitigates the risk of mutation XSS attacks, which occur when value of an attribute is interpreted as a start tag token after being serialized and re-parsed. Blink component Blink>HTML>Parser <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3EHTML%3EParser%22> TAG review Details are shared on https://github.com/whatwg/html/issues/6235. The change was tested with Finch, ending on 10% of Stable. No web compat risks were observed. The only signal we got was that it broke a unit/e2e test which checked the exact content of HTML generated by Chromium. TAG review status Not applicable Risks Interoperability and Compatibility None *Gecko*: Positive ( https://github.com/mozilla/standards-positions/issues/1209) *WebKit*: Positive (https://github.com/WebKit/WebKit/pull/44842) *Web developers*: No signals *Other signals*: WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? None Debuggability None Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)? No Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ? Yes Flag name on about://flags enable-experimental-web-platform-features Finch feature name EscapeLtGtInAttributes Rollout plan Will ship enabled for all users Requires code in //chrome? False Estimated milestones No milestones specified Anticipated spec changes Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way). None Link to entry on the Chrome Platform Status https://chromestatus.com/feature/6264983847174144?gate=5114900925644800 This intent message was generated by Chrome Platform Status <https://chromestatus.com>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1cd243fc-6071-46d5-8178-132fcd909b10n%40chromium.org.
