Skip to content

Escape "<" and ">" when serializing attribute values #6362

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Escape "<" and ">" when serializing attribute values #6362

wants to merge 1 commit into from

Conversation

zcorpan
Copy link
Member

@zcorpan zcorpan commented Feb 5, 2021
edited
Loading

Avoid a class of XSS attacks where markup goes through
a lossy parse-serialize-parse roundtrip and the original
attribute value is parsed in the data state.

This reverts 4eeb8a1.

Fixes #6235.

(See WHATWG Working Mode: Changes for more details.)

/parsing.html ( diff )

@zcorpan
Escape "<" and ">" when serializing attribute values
ac056b2 
Avoid a class of XSS attacks where markup goes through
a lossy parse-serialize-parse roundtrip and the original
attribute value is parsed in the data state.

This reverts 4eeb8a1.

Fixes #6235.
@zcorpan zcorpan force-pushed the bocoup/always-escape-lt-gt branch from 7dfae8b to ac056b2 Compare February 5, 2021 10:20
@mozfreddyb
Copy link
Contributor

@zcorpan Thank you for nudging this along! Did you spend any time thinking about compat analysis? Mostly curious, I've never done any compat analysis..

zcorpan added a commit to web-platform-tests/wpt that referenced this pull request Feb 5, 2021
@zcorpan
HTML: Escape "<" and ">" in attribute values when serializing
285a1d6 
See whatwg/html#6362
@zcorpan
Copy link
Member Author

zcorpan commented Feb 5, 2021

@mozfreddyb I did think about it. I think static analysis is unlikely to find anything. What is possible is to add a use counter in Chromium (or equivalent in other engines) when the HTML serializer serializes an attribute value that contains "<" or ">". When the use counter reaches stable, the next HTTP Archive crawl will collect URLs from its data set of around 7 million pages, which can be queried with BigQuery. If there is an experimental implementation of this change, one can manually test those URLs and see if anything is obviously broken.

If this quickly finds multiple things that are broken, then it likely is not a web compatible change. If nothing broken is found, then it might be web compatible, but obviously this wouldn't be a guarantee. The lack of complaints during the dev and beta period is probably a more convincing signal that it is web compatible.

@zcorpan zcorpan mentioned this pull request Feb 5, 2021
Open
zcorpan added a commit to web-platform-tests/wpt that referenced this pull request Apr 3, 2025
@zcorpan
HTML: tentative test for serializing <> in attribute values
44709aa 
See whatwg/html#6362
@zcorpan zcorpan mentioned this pull request Apr 3, 2025
Merged
evilpie pushed a commit to web-platform-tests/wpt that referenced this pull request Apr 16, 2025
@zcorpan @evilpie
HTML: tentative test for serializing <> in attribute values
c5d4ba8 
See whatwg/html#6362
@evilpie evilpie mentioned this pull request Apr 23, 2025
Closed
moz-v2v-gh pushed a commit to mozilla/gecko-dev that referenced this pull request Apr 23, 2025
@zcorpan @moz-wptsync-bot
Bug 1960896 [wpt PR 51827] - HTML: tentative test for serializing <> …
0fcd1c4 
…in attribute values, a=testonly

Automatic update from web-platform-tests
HTML: tentative test for serializing <> in attribute values

See whatwg/html#6362

--

wpt-commits: c5d4ba83796ad90ea175682d9e4477656fc5ddb5
wpt-pr: 51827
shtrom pushed a commit to mozilla-conduit/ff-test that referenced this pull request Apr 28, 2025
@zcorpan @moz-wptsync-bot
Bug 1960896 [wpt PR 51827] - HTML: tentative test for serializing <> …
4a7fb79 
…in attribute values, a=testonly

Automatic update from web-platform-tests
HTML: tentative test for serializing <> in attribute values

See whatwg/html#6362

--

wpt-commits: c5d4ba83796ad90ea175682d9e4477656fc5ddb5
wpt-pr: 51827
i3roly pushed a commit to i3roly/firefox-dynasty that referenced this pull request Apr 29, 2025
@zcorpan @moz-wptsync-bot
Bug 1960896 [wpt PR 51827] - HTML: tentative test for serializing <> …
3216f9a 
…in attribute values, a=testonly

Automatic update from web-platform-tests
HTML: tentative test for serializing <> in attribute values

See whatwg/html#6362

--

wpt-commits: c5d4ba83796ad90ea175682d9e4477656fc5ddb5
wpt-pr: 51827
@evilpie
Copy link

evilpie commented Apr 29, 2025

The Firefox/Gecko implementation was/is: https://bugzilla.mozilla.org/show_bug.cgi?id=1941347

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Escape "<" and ">" in attributes when serializing HTML
3 participants
@zcorpan @mozfreddyb @evilpie