Escape "<" and ">" in values of attributes on serialization. This mitigates the risk of mutation XSS attacks, which occur when value of an attribute is interpreted as a start tag token after being serialized and re-parsed.
Please see https://github.com/whatwg/html/issues/6235#issuecomment-2315325422 for an overview of potential risks. The change has been under a flag for over a year and as far as I'm aware, we received zero reports on any breakages. I'd like to try to enable this change for a certain percentage of users of Beta/Dev channels to find out whether it results in real world breakages.
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
None
None
If the change is made, then WPT will have to be updated to reflect it. See Chromium-specific test for now: https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/external/wpt/html/syntax/serializing-html-fragments/serializing-expected.txt;l=1?q=third_party%2Fblink%2Fweb_tests%2Fexternal%2Fwpt%2Fhtml%2Fsyntax%2Fserializing-html-fragments%2Fserializing-expected.txt%20&sq=
No milestones specified