Contact emails securit...@google.com
Specification https://github.com/whatwg/html/issues/6235 Summary Escape "<" and ">" in values of attributes on serialization. This mitigates the risk of mutation XSS attacks, which occur when value of an attribute is interpreted as a start tag token after being serialized and re-parsed. Blink component Blink>HTML>Parser TAG review None TAG review status Not applicable Risks Interoperability and Compatibility Please see https://github.com/whatwg/html/issues/6235#issuecomment-2315325422 for an overview of potential risks. The change has been under a flag for over a year and as far as I'm aware, we received zero reports on any breakages. I'd like to try to enable this change for a certain percentage of users of Beta/Dev channels to find out whether it results in real world breakages. Gecko: Positive (https://github.com/whatwg/html/pull/6362) WebKit: No signal Web developers: No signals Other signals: WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? None Debuggability Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)? Yes Is this feature fully tested by web-platform-tests? Yes If the change is made, then WPT will have to be updated to reflect it. See Chromium-specific test for now: https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/external/wpt/html/syntax/serializing-html-fragments/serializing-expected.txt;l=1?q=third_party%2Fblink%2Fweb_tests%2Fexternal%2Fwpt%2Fhtml%2Fsyntax%2Fserializing-html-fragments%2Fserializing-expected.txt%20&sq= Flag name on about://flags enable-experimental-web-platform-features Finch feature name EscapeLtGtInAttributes Rollout plan Will ship enabled for all users Requires code in //chrome? False Tracking bug https://bugs.chromium.org/p/chromium/issues/detail?id=1175016 Estimated milestones No milestones specified Anticipated spec changes Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (eg links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (eg, changing to naming or structure of the API in a non-backward-compatible way). None Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5083926074228736?gate=5072565227225088 This intent message was generated by Chrome Platform Status. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/681ccd39.170a0220.4750a.04d2.GAE%40google.com.
