Ready for Developer Testing: Escape "<" and ">" in attributes on serialization

122 views
Skip to first unread message

Chromestatus

unread,
Aug 28, 2024, 9:40:46 AMAug 28
to blin...@chromium.org, secur...@google.com

Contact emails

secur...@google.com

Specification

https://github.com/whatwg/html/issues/6235

Summary

Escape "<" and ">" in values of attributes on serialization. This mitigates the risk of mutation XSS attacks, which occur when value of an attribute is interpreted as a start tag token after being serialized and re-parsed.



Blink component

Blink>HTML>Parser

TAG review

None

TAG review status

Not applicable

Risks



Interoperability and Compatibility

Please see https://github.com/whatwg/html/issues/6235#issuecomment-2315325422 for an overview of potential risks. The change has been under a flag for over a year and as far as I'm aware, we received zero reports on any breakages. I'd like to try to enable this change for a certain percentage of users of Beta/Dev channels to find out whether it results in real world breakages.



Gecko: No signal

WebKit: No signal

Web developers: No signals

Other signals:

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None



Goals for experimentation



Ongoing technical constraints

None



Debuggability



Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?

Yes

Is this feature fully tested by web-platform-tests?

Yes

If the change is made, then WPT will have to be updated to reflect it. See Chromium-specific test for now: https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/external/wpt/html/syntax/serializing-html-fragments/serializing-expected.txt;l=1?q=third_party%2Fblink%2Fweb_tests%2Fexternal%2Fwpt%2Fhtml%2Fsyntax%2Fserializing-html-fragments%2Fserializing-expected.txt%20&sq=



Flag name on chrome://flags

enable-experimental-web-platform-features

Finch feature name

EscapeLtGtInAttributes

Requires code in //chrome?

False

Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=1175016

Estimated milestones

No milestones specified



Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5083926074228736

This intent message was generated by Chrome Platform Status.
Reply all
Reply to author
Forward
0 new messages