Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

Intent to Ship: Escape "<" and ">" in attributes on serialization

411 views
Skip to first unread message

Chromestatus

unread,
May 9, 2025, 5:18:27 AMMay 9
to blin...@chromium.org, secur...@google.com

Contact emails

secur...@google.com

Explainer

https://github.com/whatwg/html/issues/6235

Specification

https://github.com/whatwg/html/issues/6235

Summary

Escape "<" and ">" in values of attributes on serialization. This mitigates the risk of mutation XSS attacks, which occur when value of an attribute is interpreted as a start tag token after being serialized and re-parsed.



Blink component

Blink>HTML>Parser

TAG review

Details are shared on https://github.com/whatwg/html/issues/6235. The change was tested with Finch, ending on 10% of Stable. No web compat risks were observed. The only signal we got was that it broke a unit/e2e test which checked the exact content of HTML generated by Chromium.

TAG review status

Not applicable

Risks



Interoperability and Compatibility

None



Gecko: Positive (https://github.com/mozilla/standards-positions/issues/1209)

WebKit: Positive (https://github.com/WebKit/WebKit/pull/44842)

Web developers: No signals

Other signals:

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None



Debuggability

None



Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?

No

Is this feature fully tested by web-platform-tests?

Yes

Flag name on about://flags

enable-experimental-web-platform-features

Finch feature name

EscapeLtGtInAttributes

Rollout plan

Will ship enabled for all users

Requires code in //chrome?

False

Estimated milestones

No milestones specified



Anticipated spec changes

Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).

None

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/6264983847174144?gate=5114900925644800

This intent message was generated by Chrome Platform Status.

Alison Maher

unread,
May 12, 2025, 11:23:56 AMMay 12
to blink-dev, Chromestatus, secur...@google.com
Out of curiosity, which platforms will this not be supported on, and why?

Thanks,
Alison

Mike Taylor

unread,
May 12, 2025, 1:05:22 PMMay 12
to Alison Maher, blink-dev, Chromestatus, secur...@google.com

Given that Firefox has implemented this (Nightly-only), as well as Safari (not landed yet?), do we know why https://github.com/whatwg/html/pull/6362 hasn't been merged yet?

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/dd6c80a5-98bc-40a3-a1c4-681e63e32cedn%40chromium.org.

Michał Bentkowski

unread,
May 12, 2025, 4:17:35 PMMay 12
to blink-dev, Alison Maher, Chromestatus, secur...@google.com

Out of curiosity, which platforms will this not be supported on, and why?

Sorry, I put the wrong value there -- it will be supported on all platforms.
 
Given that Firefox has implemented this (Nightly-only), as well as Safari (not landed yet?), do we know why https://github.com/whatwg/html/pull/6362 hasn't been merged yet?

Anne left a comment: "We should probably hold off until Chromium has actually deployed this?" so I think that's the reason.

Domenic Denicola

unread,
May 13, 2025, 1:41:52 AMMay 13
to Michał Bentkowski, blink-dev, Alison Maher, Chromestatus
LGTM1, but please update the following bits on ChromeStatus:
  • Estimated milestones. This is important for ensuring developers have an accurate picture of when changes like this are rolling out. Especially if this will be a gradual rollout of some sort, or has previously been tested in a gradual manner, that information needs to be captured.
  • Interop and Compat impact: this definitely has compat impact. Please summarize how this can change the behavior of web pages, and why we believe it's safe. (You've done that elsewhere, but recording it in ChromeStatus is helpful as that's a source of data we consult looking backward.)


--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1cd243fc-6071-46d5-8178-132fcd909b10n%40chromium.org.

Michał Bentkowski

unread,
May 13, 2025, 1:56:27 AMMay 13
to Domenic Denicola, blink-dev, Alison Maher, Chromestatus
Thank you!

I added the relevant information on ChromeStatus.
--
Cheers,
Michał

Daniel Bratell

unread,
May 13, 2025, 1:47:34 PMMay 13
to Michał Bentkowski, Domenic Denicola, blink-dev, Alison Maher, Chromestatus

LGTM2

You left the Compatibility field empty which I don't think is accurate. There is always a risk that sites depend on the exact output of a function so please keep an eye open for any reported issues.

/Daniel

Michał Bentkowski

unread,
May 13, 2025, 1:49:45 PMMay 13
to Daniel Bratell, Domenic Denicola, blink-dev, Alison Maher, Chromestatus
Thanks! I updated the "Interoperability and Compatibility Risks" already on ChromeStatus.  
--
Cheers,
Michał

Alex Russell

unread,
May 13, 2025, 2:25:44 PMMay 13
to blink-dev, Michał Bentkowski, Domenic Denicola, blink-dev, alm...@microsoft.com, Chromestatus, Daniel Bratell
LGTM3 with the caveat that we likely have risks to enterprise apps that wouldn't have been visible from the 10% Finch experiement, and so we should do this on-by-default in Beta for most of a cycle, and make sure that we have a kill-switch in place in case of potential enterprise breakage in Stable.

Best,

 Alex

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

Michał Bentkowski

unread,
May 13, 2025, 11:40:20 PMMay 13
to blink-dev, Alex Russell, Michał Bentkowski, Domenic Denicola, blink-dev, alm...@microsoft.com, Chromestatus, Daniel Bratell
The experiment was also enabled on 50% of Beta. Wouldn't that catch potential Enterprise breakages?

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

Reilly Grant

unread,
May 14, 2025, 1:49:16 PMMay 14
to Michał Bentkowski, blink-dev, Alex Russell, Domenic Denicola, alm...@microsoft.com, Chromestatus, Daniel Bratell
Enterprises tend not to run beta-channel. They also tend to turn off metrics and crash reporting. A slow rollout as Alex is suggesting will hopefully catch issues early but we also need to be ready to react to urgent regressions as this reaches 100% on stable-channel.
Reilly Grant | Software Engineer | rei...@chromium.org | Google Chrome


To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/ead93991-d170-4016-85d9-f01846ede045n%40chromium.org.
Reply all
Reply to author
Forward
0 new messages