HTML spec change: escaping < and > in attributes
a year ago
- #HTML
- #Web Development
- #Security
- HTML specification updated to escape < and > in attributes to prevent mXSS vulnerabilities.
- Change affects Chrome 138 (Beta May 28, 2025, Stable June 24, 2025).
- Modifies how HTML fragments are serialized (innerHTML, outerHTML, getHTML()).
- Does not affect HTML parsing or DOM API attribute retrieval (getAttribute, dataset, etc.).
- Potential breakage in code using innerHTML/outerHTML to extract attribute values.
- End-to-end tests comparing HTML to static values may break and need updates.
- Change improves security by preventing mutation XSS instances.
- Rollout timeline: Chromium (June 24, 2025), Firefox (version 140), Safari 26 Beta (September 2025).
- Bug reporting available for issues caused by this change.