← Back to release summary

Escape "<" and ">" in attributes on serialization

Category

Miscellaneous

Type

New or changed feature

Status

Proposed (Chrome Proposed)

Intent stage

None

Summary

Escape "<" and ">" in values of attributes on serialization. This mitigates the risk of mutation XSS attacks, which occur when value of an attribute is interpreted as a start tag token after being serialized and re-parsed.

Motivation

Escaping "<" and ">" in attributes mitigates the risk of mutation XSS attacks, which occur when value of an attribute is interpreted as a start tag token after being serialized and re-parsed.

Standards & signals

• Specification: https://github.com/whatwg/html/issues/6235
• Firefox: Positive
• Safari: Positive
• Web developers: No signals

Explainers: https://github.com/whatwg/html/issues/6235

View on chromestatus.com