Intent to prototype: Escape "<" and ">" in attributes when serializing HTML
121 views
Skip to first unread message
Tom Schuster
Apr 23, 2025, 2:53:27 PMApr 23
to dev-pl...@mozilla.org
Summary: We want to change the escaping of HTML attribute values to
include "<" (<) and ">" (>).
The fact that these characters are not escaped currently can lead to
security issues in HTML parsers and sanitizers. (Currently
Nightly-only)
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1941347
Specification: https://github.com/whatwg/html/pull/6362
Standards Body: WhatWG
Platform coverage: everywhere
Preference: dom.security.html_serialization_escape_lt_gt
DevTools bug: n/a
Link to standards-positions discussion: none
Other browsers:
- Chrome: Rollout on Stable
https://github.com/whatwg/html/issues/6235#issuecomment-2729072764
- Webkit: no information
include "<" (<) and ">" (>).
The fact that these characters are not escaped currently can lead to
security issues in HTML parsers and sanitizers. (Currently
Nightly-only)
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1941347
Specification: https://github.com/whatwg/html/pull/6362
Standards Body: WhatWG
Platform coverage: everywhere
Preference: dom.security.html_serialization_escape_lt_gt
DevTools bug: n/a
Link to standards-positions discussion: none
Other browsers:
- Chrome: Rollout on Stable
https://github.com/whatwg/html/issues/6235#issuecomment-2729072764
- Webkit: no information
Tom Schuster
Apr 23, 2025, 3:01:49 PMApr 23
to dev-pl...@mozilla.org
Reply all
Reply to author
Forward
0 new messages
Search
Clear search
Close search
Google apps
Main menu