Escape "<" and ">" in attributes when serializing HTML
Categories
(Core :: DOM: Core & HTML, task)
Tracking
()
People
(Reporter: zcorpan, Assigned: tschuster)
References
Details
(Keywords: dev-doc-complete, sec-want, Whiteboard: [adv-main139-])
Attachments
(1 file)
See https://github.com/whatwg/html/issues/6235
Chromium is doing a staged rollout of this, currently at 1%, and haven't found compat problems so far.
We should implement this as well, since it helps to mitigate mutation XSS (mXSS) attacks.
|
||
Comment 1•5 months ago
|
||
Now at 3% :)
|
Assignee | |
Updated•3 months ago
|
|
|
Assignee | |
Updated•3 months ago
|
|
|
Assignee | |
Comment 2•3 months ago
|
||
|
|
Assignee | |
Comment 3•3 months ago
|
||
I am only modifying nsContentUtils::SerializeNodeToMarkup here. We have some older serializers based on nsIContentSerializer, which as far as I can tell already escape < and >, at least when escaping at all.
nsXMLContentSerializer::AppendAndTranslateEntities seems to escape it, which is also used for nsXHTMLContentSerializer::AppendAndTranslateEntities unless all entity encoding is disabled.
|
||
Updated•3 months ago
|
|
|
Assignee | |
Updated•3 months ago
|
|
|
||
Updated•3 months ago
|
|
|
Assignee | |
Updated•3 months ago
|
|
||
Comment 5•3 months ago
|
||
| bugherder | ||
|
||
Updated•3 months ago
|
|
||
Updated•2 months ago
|
|
||
Comment 6•2 months ago
|
||
FF139 MDN docs work for this can be tracked in https://github.com/mdn/content/issues/39309
|
|
||
Comment 7•2 months ago
|
||
The pref is Nightly-only, isn't it?
|
|
||
Comment 8•2 months ago
|
||
The pref is Nightly-only, isn't it?
That's how it looks and how I have documented it
+# Serialize < as < and > as > in attribute values for getHTML, innerHTML etc.
+- name: dom.security.html_serialization_escape_lt_gt
- type: RelaxedAtomicBool
- value: @IS_NIGHTLY_BUILD@
- mirror: always
|
|
||
Updated•2 months ago
|
|
||
Updated•2 months ago
|
Description
•