Escape "<" and ">" when serializing attribute values #6362
Merged
+8
−7
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
7dfae8b to
ac056b2
Compare
|
@zcorpan Thank you for nudging this along! Did you spend any time thinking about compat analysis? Mostly curious, I've never done any compat analysis.. |
zcorpan
added a commit
to web-platform-tests/wpt
that referenced
this pull request
Feb 5, 2021
|
@mozfreddyb I did think about it. I think static analysis is unlikely to find anything. What is possible is to add a use counter in Chromium (or equivalent in other engines) when the HTML serializer serializes an attribute value that contains "<" or ">". When the use counter reaches stable, the next HTTP Archive crawl will collect URLs from its data set of around 7 million pages, which can be queried with BigQuery. If there is an experimental implementation of this change, one can manually test those URLs and see if anything is obviously broken. If this quickly finds multiple things that are broken, then it likely is not a web compatible change. If nothing broken is found, then it might be web compatible, but obviously this wouldn't be a guarantee. The lack of complaints during the dev and beta period is probably a more convincing signal that it is web compatible. |
zcorpan
added a commit
to web-platform-tests/wpt
that referenced
this pull request
Apr 3, 2025
evilpie
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Apr 16, 2025
moz-v2v-gh
pushed a commit
to mozilla/gecko-dev
that referenced
this pull request
Apr 23, 2025
…in attribute values, a=testonly Automatic update from web-platform-tests HTML: tentative test for serializing <> in attribute values See whatwg/html#6362 -- wpt-commits: c5d4ba83796ad90ea175682d9e4477656fc5ddb5 wpt-pr: 51827
shtrom
pushed a commit
to mozilla-conduit/ff-test
that referenced
this pull request
Apr 28, 2025
…in attribute values, a=testonly Automatic update from web-platform-tests HTML: tentative test for serializing <> in attribute values See whatwg/html#6362 -- wpt-commits: c5d4ba83796ad90ea175682d9e4477656fc5ddb5 wpt-pr: 51827
i3roly
pushed a commit
to i3roly/firefox-dynasty
that referenced
this pull request
Apr 29, 2025
…in attribute values, a=testonly Automatic update from web-platform-tests HTML: tentative test for serializing <> in attribute values See whatwg/html#6362 -- wpt-commits: c5d4ba83796ad90ea175682d9e4477656fc5ddb5 wpt-pr: 51827
|
The Firefox/Gecko implementation was/is: https://bugzilla.mozilla.org/show_bug.cgi?id=1941347 |
zcorpan
added a commit
to web-platform-tests/wpt
that referenced
this pull request
May 5, 2025
annevk
approved these changes
May 5, 2025
annevk
added a commit
to annevk/WebKit
that referenced
this pull request
May 12, 2025
https://bugs.webkit.org/show_bug.cgi?id=292432 rdar://150520333 Reviewed by NOBODY (OOPS!). Implement whatwg/html#6362 and add a preference in case we find out we have to disable it in certain cases. The preference does not impact the recently added getHTML() method on Element and ShadowRoot as that should be new enough to not matter. Add new test from: web-platform-tests/wpt#27501
webkit-commit-queue
pushed a commit
to annevk/WebKit
that referenced
this pull request
May 20, 2025
https://bugs.webkit.org/show_bug.cgi?id=292432 rdar://150520333 Reviewed by Ryosuke Niwa and Sam Weinig. Implement whatwg/html#6362 and add a preference in case we find out we have to disable it in certain cases. The preference does not impact the recently added getHTML() method on Element and ShadowRoot as that should be new enough to not matter. Add new test from: web-platform-tests/wpt#27501 Canonical link: https://commits.webkit.org/295149@main
|
Given that everyone is moving ahead with this and we still haven't seen breakage, let's flip the switch now. It's also rather awkward to keep the tests and such in limbo that long. |
ac056b2 to
1896a6a
Compare
annevk
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
May 20, 2025
Gingeh
added a commit
to Gingeh/ladybird
that referenced
this pull request
May 22, 2025
AtkinsSJ
pushed a commit
to LadybirdBrowser/ladybird
that referenced
this pull request
May 22, 2025
lando-prod-mozilla bot
pushed a commit
to mozilla-firefox/firefox
that referenced
this pull request
May 23, 2025
…lues when serializing, Automatic update from web-platform-tests HTML: Escape "<" and ">" in attribute values when serializing See whatwg/html#6362. -- wpt-commits: 3fad71d22b6681a3430ff498add3ea8c31660401 wpt-pr: 27501 Differential Revision: https://phabricator.services.mozilla.com/D250932
moz-v2v-gh
pushed a commit
to mozilla/gecko-dev
that referenced
this pull request
May 24, 2025
…lues when serializing, Automatic update from web-platform-tests HTML: Escape "<" and ">" in attribute values when serializing See whatwg/html#6362. -- wpt-commits: 3fad71d22b6681a3430ff498add3ea8c31660401 wpt-pr: 27501 Differential Revision: https://phabricator.services.mozilla.com/D250932
i3roly
pushed a commit
to i3roly/firefox-dynasty
that referenced
this pull request
May 26, 2025
…lues when serializing, Automatic update from web-platform-tests HTML: Escape "<" and ">" in attribute values when serializing See whatwg/html#6362. -- wpt-commits: 3fad71d22b6681a3430ff498add3ea8c31660401 wpt-pr: 27501 Differential Revision: https://phabricator.services.mozilla.com/D250932
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-wordified-and-comments-removed
that referenced
this pull request
May 28, 2025
…lues when serializing, Automatic update from web-platform-tests HTML: Escape "<" and ">" in attribute values when serializing See whatwg/html#6362. -- wpt-commits: 3fad71d22b6681a3430ff498add3ea8c31660401 wpt-pr: 27501 Differential Revision: https://phabricator.services.mozilla.com/D250932 UltraBlame original commit: b534c633b2ea53fe10c965fc83f8a795b7f7e2a8
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-comments-removed
that referenced
this pull request
May 28, 2025
…lues when serializing, Automatic update from web-platform-tests HTML: Escape "<" and ">" in attribute values when serializing See whatwg/html#6362. -- wpt-commits: 3fad71d22b6681a3430ff498add3ea8c31660401 wpt-pr: 27501 Differential Revision: https://phabricator.services.mozilla.com/D250932 UltraBlame original commit: b534c633b2ea53fe10c965fc83f8a795b7f7e2a8
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-wordified
that referenced
this pull request
May 28, 2025
…lues when serializing, Automatic update from web-platform-tests HTML: Escape "<" and ">" in attribute values when serializing See whatwg/html#6362. -- wpt-commits: 3fad71d22b6681a3430ff498add3ea8c31660401 wpt-pr: 27501 Differential Revision: https://phabricator.services.mozilla.com/D250932 UltraBlame original commit: b534c633b2ea53fe10c965fc83f8a795b7f7e2a8
gotlougit
pushed a commit
to gotlougit/ladybird
that referenced
this pull request
May 29, 2025
aarongable
pushed a commit
to chromium/chromium
that referenced
this pull request
Jul 10, 2025
The experiment to escape "<" and ">" in attributes has been successful and after https://crrev.com/c/6597054 it's been launched to everyone (in M138) and is a part of the spec (see whatwg/html#6362). This CL does a cleanup changes the following: 1) Removes the use counter which is no longer necessary. 2) Updates markup_formatter.{cc,h} so that "<>" are always escaped. 3) Removes EscapeLtGtInAttributes as a runtime enabled feature Note that removing the usecounter forced change to the signature of `AppendAttributeValue` method -- it no longer needs to accept `Document`. So this CL changes more files so all call sites are changed accordingly. Because this has been launched in M138, it's now safe to remove in M140. Bug: 40747109 Change-Id: If14151908eb74643fcbd2fa1d461f6002da3ccd7 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6714366 Reviewed-by: Mason Freed <masonf@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Michał Bentkowski <securitymb@google.com> Cr-Commit-Position: refs/heads/main@{#1484826}
aarongable
pushed a commit
to chromium/chromium
that referenced
this pull request
Jul 22, 2025
This reverts commit 8d717b4. Reason for revert: Because I failed to merge the original change in M138, it actually landed in M139. So I'm reverting this one to make sure that the cleanup will happen at M141 at the earliest. Bug: 40747109 Original change's description: > Cleanup after EscapeLtGtInAttributes experiment > > The experiment to escape "<" and ">" in attributes has been successful > and after https://crrev.com/c/6597054 it's been launched to everyone (in > M138) and is a part of the spec (see > whatwg/html#6362). > > This CL does a cleanup changes the following: 1) Removes the use > counter which is no longer necessary. 2) Updates markup_formatter.{cc,h} > so that "<>" are always escaped. 3) Removes EscapeLtGtInAttributes as a > runtime enabled feature > > Note that removing the usecounter forced change to the signature of > `AppendAttributeValue` method -- it no longer needs to accept > `Document`. So this CL changes more files so all call sites are changed > accordingly. > > Because this has been launched in M138, it's now safe to remove in M140. > > Bug: 40747109 > Change-Id: If14151908eb74643fcbd2fa1d461f6002da3ccd7 > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6714366 > Reviewed-by: Mason Freed <masonf@chromium.org> > Reviewed-by: Mike West <mkwst@chromium.org> > Commit-Queue: Michał Bentkowski <securitymb@google.com> > Cr-Commit-Position: refs/heads/main@{#1484826} Bug: 40747109 Change-Id: I617c4a1159c33f4d30d52eea11eca52b58e64d26 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6769766 Reviewed-by: Mason Freed <masonf@chromium.org> Commit-Queue: Michał Bentkowski <securitymb@google.com> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/main@{#1489988}
mnutt
pushed a commit
to movableink/webkit
that referenced
this pull request
Jul 30, 2025
https://bugs.webkit.org/show_bug.cgi?id=292432 rdar://150520333 Reviewed by Ryosuke Niwa and Sam Weinig. Implement whatwg/html#6362 and add a preference in case we find out we have to disable it in certain cases. The preference does not impact the recently added getHTML() method on Element and ShadowRoot as that should be new enough to not matter. Add new test from: web-platform-tests/wpt#27501 Canonical link: https://commits.webkit.org/295149@main
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Avoid a class of XSS attacks where markup goes through
a lossy parse-serialize-parse roundtrip and the original
attribute value is parsed in the data state.
This reverts 4eeb8a1.
Fixes #6235.
(See WHATWG Working Mode: Changes for more details.)
/parsing.html ( diff )
/parsing.html ( diff )