Bugzilla

Removing all `data-*` attributes may break something of some editable web app libraries which depend on pasted content's attributes. And in strictly speaking, each web app should handle them correctly instead, so it must be the last resort for fixing this in the browser side. Additionally, this can say for all `on*` attributes too. So I'm afraid regressions of this change. Therefore, if fixing this in the browser side is the only possible choice,

> (This vulnerability was discovered during the security research that may be published on July 25th.)

I feel that this due date is too short for considering the big change. E.g., it's impossible to get feedback from testers in a couple of cycles. And unfortunately, 115 will ship in June, and it'll become next ESR, thus, 115 will available until end of next year. However, I don't think that even a security fix for this can be merged into ESR after shipping it.

I'd like to know that how does the security team think about this.

Removing all `data-*` attributes may break something of some editable web app libraries which depend on pasted content's attributes. And in strictly speaking, each web app should handle them correctly instead, so it must be the last resort for fixing this in the browser side. ~~Additionally, this can say for all `on*` attributes too.~~ So I'm afraid regressions of this change. Therefore, if fixing this in the browser side is the only possible choice,

> (This vulnerability was discovered during the security research that may be published on July 25th.)

I feel that this due date is too short for considering the big change. E.g., it's impossible to get feedback from testers in a couple of cycles. And unfortunately, 115 will ship in June, and it'll become next ESR, thus, 115 will available until end of next year. However, I don't think that even a security fix for this can be merged into ESR after shipping it.

I'd like to know that how does the security team think about this.