Skip to content

Firefox Nightly escapes < and > in attributes when serializing HTML#26688

Merged
caugner merged 7 commits intomainfrom
ff139_escape_attributes_when_serializing
May 9, 2025
Merged

Firefox Nightly escapes < and > in attributes when serializing HTML#26688
caugner merged 7 commits intomainfrom
ff139_escape_attributes_when_serializing

Conversation

@hamishwillee
Copy link
Contributor

@hamishwillee hamishwillee commented May 2, 2025
edited
Loading

FF139 adds support for escaping < and > to &lt; and &gt; in attributes when serializing HTML in https://bugzilla.mozilla.org/show_bug.cgi?id=1941347. This affects all the obvious methods like innerHTML, outerHTML, getHTML.

This is enabled in nightly from FF139 (associated pref is dom.security.html_serialization_escape_lt_gt)

Some questions inline.

Related docs work can be tracked in mdn/content#39309

@github-actions github-actions bot added data:api Compat data for Web APIs. https://developer.mozilla.org/docs/Web/API size:l [PR only] 101-1000 LoC changed labels May 2, 2025
@github-actions
Copy link
Contributor

github-actions bot commented May 2, 2025
edited
Loading

Tip: Review these changes grouped by change (recommended for most PRs), or grouped by feature (for large PRs).

hamishwillee
hamishwillee commented May 2, 2025
View reviewed changes
hamishwillee
hamishwillee commented May 2, 2025
View reviewed changes
hamishwillee
hamishwillee commented May 2, 2025
View reviewed changes
@hamishwillee hamishwillee mentioned this pull request May 2, 2025
Closed
8 tasks
caugner
caugner requested changes May 6, 2025
View reviewed changes
@hamishwillee @caugner
Update api/Element.json
b42816d 
Co-authored-by: Claas Augner <495429+caugner@users.noreply.github.com>
hamishwillee
hamishwillee commented May 6, 2025
View reviewed changes
hamishwillee
hamishwillee commented May 6, 2025
View reviewed changes
hamishwillee
hamishwillee commented May 6, 2025
View reviewed changes
hamishwillee
hamishwillee commented May 6, 2025
View reviewed changes
hamishwillee
hamishwillee commented May 6, 2025
View reviewed changes
hamishwillee
hamishwillee commented May 6, 2025
View reviewed changes
hamishwillee
hamishwillee commented May 6, 2025
View reviewed changes
hamishwillee
hamishwillee commented May 6, 2025
View reviewed changes
hamishwillee
hamishwillee commented May 6, 2025
View reviewed changes
@hamishwillee hamishwillee requested a review from caugner May 6, 2025 22:29
@hamishwillee
Copy link
Contributor Author

hamishwillee commented May 6, 2025

Thanks very much for the help @caugner . Updated.

caugner
caugner approved these changes May 7, 2025
View reviewed changes
Copy link
Contributor

@caugner caugner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just one nit: We have subfeatures accepts_*, so escapes_* is preferable to escape_*.

caugner
caugner requested changes May 7, 2025
View reviewed changes
Copy link
Contributor

@caugner caugner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, I missed this: Technically, this is not on the standard-track yet.

@hamishwillee @caugner
Apply suggestions from code review
5128cb4 
Co-authored-by: Claas Augner <495429+caugner@users.noreply.github.com>
@hamishwillee hamishwillee requested a review from caugner May 9, 2025 00:57
@hamishwillee
Copy link
Contributor Author

hamishwillee commented May 9, 2025

Sorry, I missed this: Technically, this is not on the standard-track yet.

Sorry I missed that too. Merged all those.

caugner
caugner approved these changes May 9, 2025
View reviewed changes
Copy link
Contributor

@caugner caugner left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just one non-blocking comment.

api/ShadowRoot.json
"description": "Serializes `<` and `>` in attributes as `&amp;lt;` and `&amp;gt;` (see [this spec issue](https://github.com/whatwg/html/issues/6235))",
"support": {
"chrome": {
"version_added": false
Copy link
Contributor

@caugner caugner May 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we know if Chromium intentionally doesn't implement this?

Otherwise, would it make sense to ask in https://issues.chromium.org/issues/40747109, and add this bug as impl_url here?

Copy link
Contributor Author

@hamishwillee hamishwillee May 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably - at the end it says "Currently, there's an ongoing finch experiment to enable escaping for 50% of Canary, Dev and Beta and 1% of Stable. As far as I'm aware, there's been no complaints so far."

I'm mostly interested in Firefox :-)

@caugner caugner changed the title FF139 attributes in serialized HTML escaped for < and > Firefox Nightly escapes < and > in attributes when serializing HTML May 9, 2025
@caugner caugner merged commit 0c67b2d into main May 9, 2025
11 checks passed
@caugner caugner deleted the ff139_escape_attributes_when_serializing branch May 9, 2025 14:03
@mdn-bot mdn-bot mentioned this pull request May 9, 2025
Merged
@CASERGN

This comment was marked as spam.

Sign in to view
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@caugner caugner caugner approved these changes

Assignees

No one assigned

Labels

data:api Compat data for Web APIs. https://developer.mozilla.org/docs/Web/API size:l [PR only] 101-1000 LoC changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hamishwillee @CASERGN @caugner