Skip to content
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions files/en-us/mozilla/firefox/releases/139/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,10 @@ This article provides information about the changes in Firefox 139 that affect d

These features are newly shipped in Firefox 139 but are disabled by default. To experiment with them, search for the appropriate preference on the `about:config` page and set it to `true`. You can find more such features on the [Experimental features](/en-US/docs/Mozilla/Firefox/Experimental_features) page.

- **Escape `<` and `>` in attributes when serializing HTML** `dom.security.html_serialization_escape_lt_gt`.
Comment thread
hamishwillee marked this conversation as resolved.
Outdated
The browser replaces the `<` and `>` characters with `&lt;` and `&gt;` (respectively) in attributes when serializing HTML, which prevents certain exploits where HTML is serialized and then injected back into the DOM.
Comment thread
hamishwillee marked this conversation as resolved.
Outdated
The affected methods and properties are: {{domxref("Element.innerHTML")}}, {{domxref("Element.outerHTML")}}, {{domxref("Element.getHTML()")}}, {{domxref("ShadowRoot.innerHTML")}}, and {{domxref("ShadowRoot.getHTML()")}}. ([Firefox bug 1941347](https://bugzil.la/1941347))
Comment thread
hamishwillee marked this conversation as resolved.
Outdated

## Older versions

{{Firefox_for_developers}}