Skip to content

FF139 ExprFeat: Escape < and > in attributes when serialize HTML#39363

Merged
hamishwillee merged 2 commits intomdn:mainfrom
hamishwillee:ff139relnote_escape_serialized_attr
May 5, 2025
Merged

FF139 ExprFeat: Escape < and > in attributes when serialize HTML#39363
hamishwillee merged 2 commits intomdn:mainfrom
hamishwillee:ff139relnote_escape_serialized_attr

Conversation

@hamishwillee
Copy link
Collaborator

@hamishwillee hamishwillee commented May 2, 2025

FF139 escapes < as &lt; and > as &gt; in attribute values when HTML is serialized (i.e. when reading Element.innerHTML, Element.outerHTML, Element.getHTML(), ShadowRoot.innerHTML, , ShadowRoot.getHTML().

This is the experimental features update.

Related docs can be tracked in #39309

@hamishwillee hamishwillee requested a review from a team as a code owner May 2, 2025 04:26
@hamishwillee hamishwillee requested review from dipikabh and removed request for a team May 2, 2025 04:26
@github-actions github-actions bot added Content:Firefox Content in the Mozilla/Firefox subtree size/s [PR only] 6-50 LoC changed labels May 2, 2025
@github-actions
Copy link
Contributor

github-actions bot commented May 2, 2025
edited
Loading

Preview URLs

Flaws (1)

URL: /en-US/docs/Mozilla/Firefox/Experimental_features
Title: Experimental features in Firefox
Flaw count: 1

  • broken_links:
    • Can't resolve /en-US/docs/Web/API/HTML_Sanitizer_API
External URLs (1)

URL: /en-US/docs/Mozilla/Firefox/Experimental_features
Title: Experimental features in Firefox

(comment last updated: 2025-05-05 00:14:05)

@hamishwillee hamishwillee mentioned this pull request May 2, 2025
Closed
8 tasks
dipikabh
dipikabh approved these changes May 2, 2025
View reviewed changes
Copy link
Contributor

@dipikabh dipikabh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

files/en-us/mozilla/firefox/experimental_features/index.md Outdated
Comment on lines +1114 to +1116
This prevents certain exploits where HTML is serialized and then injected back into the DOM.
The affected methods and properties are: {{domxref("Element.innerHTML")}}, {{domxref("Element.outerHTML")}}, {{domxref("Element.getHTML()")}}, {{domxref("ShadowRoot.innerHTML")}}, and {{domxref("ShadowRoot.getHTML()")}}.
([Firefox bug 1941347](https://bugzil.la/1941347))
Copy link
Contributor

@dipikabh dipikabh May 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same suggestions as in #39364 (review)
And don't miss the period at the end after the bug link :)

hamishwillee
hamishwillee commented May 5, 2025
View reviewed changes
@hamishwillee hamishwillee merged commit 43254b2 into mdn:main May 5, 2025
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dipikabh dipikabh dipikabh approved these changes

Assignees

No one assigned

Labels

Content:Firefox Content in the Mozilla/Firefox subtree size/s [PR only] 6-50 LoC changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hamishwillee @dipikabh @mdn-bot