1962084 - Ship escaping of "<" and ">" in attributes

Status: RESOLVED FIXED

(Core :: DOM: Core & HTML, task)

Comment 1

[Tom Schuster]

Attachment: Bug 1962084 - Ship escaping of "<" and ">" in attributes. r?#dom-core,zcorpan,hsivonen

Comment 2

[Pulsebot]

Pushed by tschuster@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/513d59a1da84
Ship escaping of "<" and ">" in attributes. r=zcorpan,hsivonen,dom-core

Comment 3

[agoloman]

https://hg.mozilla.org/mozilla-central/rev/513d59a1da84

Comment 4

[Donal Meehan [:dmeehan]]

Tom, could you consider nominating this for a release note? (Process info)

Comment 5

[Hamish Willee]

FF140 MDN docs for this can be tracked on https://github.com/mdn/content/issues/39628

Comment 6

[Tom Schuster]

Release Note Request (optional, but appreciated)
[Why is this notable]: Prevents certain mXSS attacks and changes behavior
[Affects Firefox for Android]: Yes
[Suggested wording]: Firefox will now escape less-than (<) and greater-than (>) symbols when serializing HTML attributes, making certain mXSS attacks on websites more difficult.
[Links (documentation, blog post, etc)]: https://github.com/whatwg/html/issues/6235 (Maybe someone knows of a blog post?)

Comment 7

[Donal Meehan [:dmeehan]]

Thanks, added to the Fx140 nightly release notes, please allow 30 minutes for the site to update.
Keeping the relnote-firefox flag as ? to keep it on the radar for inclusion in the final Fx140 release notes.