LGTM1, but please update the following bits on ChromeStatus: - Estimated milestones. This is important for ensuring developers have an accurate picture of when changes like this are rolling out. Especially if this will be a gradual rollout of some sort, or has previously been tested in a gradual manner, that information needs to be captured. - Interop and Compat impact: this definitely has compat impact. Please summarize how this can change the behavior of web pages, and why we believe it's safe. (You've done that elsewhere, but recording it in ChromeStatus is helpful as that's a source of data we consult looking backward.)
On Tue, May 13, 2025 at 5:17 AM 'Michał Bentkowski' via blink-dev < blink-dev@chromium.org> wrote: > > Out of curiosity, which platforms will this not be supported on, and why? > > > Sorry, I put the wrong value there -- it will be supported on all > platforms. > > > Given that Firefox has implemented this (Nightly-only), as well as Safari > (not landed yet?), do we know why https://github.com/whatwg/html/pull/6362 > hasn't been merged yet? > > > Anne left a comment: "We should probably hold off until Chromium has > actually deployed this?" so I think that's the reason. > > > Thanks, > Alison > > On Friday, May 9, 2025 at 2:18:27 AM UTC-7 Chromestatus wrote: > > Contact emails secur...@google.com > > Explainer https://github.com/whatwg/html/issues/6235 > > Specification https://github.com/whatwg/html/issues/6235 > > Summary > > Escape "<" and ">" in values of attributes on serialization. This > mitigates the risk of mutation XSS attacks, which occur when value of an > attribute is interpreted as a start tag token after being serialized and > re-parsed. > > > Blink component Blink>HTML>Parser > <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3EHTML%3EParser%22> > > TAG review Details are shared on > https://github.com/whatwg/html/issues/6235. The change was tested with > Finch, ending on 10% of Stable. No web compat risks were observed. The only > signal we got was that it broke a unit/e2e test which checked the exact > content of HTML generated by Chromium. > > TAG review status Not applicable > > Risks > > > Interoperability and Compatibility > > None > > > *Gecko*: Positive ( > https://github.com/mozilla/standards-positions/issues/1209) > > *WebKit*: Positive (https://github.com/WebKit/WebKit/pull/44842) > > *Web developers*: No signals > > *Other signals*: > > WebView application risks > > Does this intent deprecate or change behavior of existing APIs, such that > it has potentially high risk for Android WebView-based applications? > > None > > > Debuggability > > None > > > Will this feature be supported on all six Blink platforms (Windows, Mac, > Linux, ChromeOS, Android, and Android WebView)? No > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> > ? Yes > > Flag name on about://flags enable-experimental-web-platform-features > > Finch feature name EscapeLtGtInAttributes > > Rollout plan Will ship enabled for all users > > Requires code in //chrome? False > > Estimated milestones > > No milestones specified > > > Anticipated spec changes > > Open questions about a feature may be a source of future web compat or > interop issues. Please list open issues (e.g. links to known github issues > in the project for the feature specification) whose resolution may > introduce web compat/interop risk (e.g., changing to naming or structure of > the API in a non-backward-compatible way). > None > > Link to entry on the Chrome Platform Status > https://chromestatus.com/feature/6264983847174144?gate=5114900925644800 > > This intent message was generated by Chrome Platform Status > <https://chromestatus.com>. > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1cd243fc-6071-46d5-8178-132fcd909b10n%40chromium.org > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1cd243fc-6071-46d5-8178-132fcd909b10n%40chromium.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM0wra8dTaDUPVEUpbb5sCYboWG7yqAM6LXRr7Lb6gv%2Bh3zbFA%40mail.gmail.com.
