Michał Bentkowski (@SecurityMB) 🦻Jun 12, 2025

Today we published two blog posts about an HTML specification change that makes mutation XSS harder to exploit! Long story short: `<` and `>` are now escaped in attributes.

* Blog post about security rationale behind this change: https://bughunters.google.com/blog/5038742869770240/escaping-and-in-attributes-how-it-helps-protect-against-mutation-xss
* Blog post about how it affects web developers: https://developer.chrome.com/blog/escape-attributes?hl=en

Blog: Escaping '<' and '>' in attributes – How it helps protect against mutation XSS

The HTML specification has been updated to escape '<' and '>' in attributes to prevent mutation XSS (mXSS) vulnerabilities. This post details the reasoning behind this change and explains why this update improves security.

Show threadSimon PietersJun 16, 2025

@securitymb

> While there’s currently no proposal that addresses this issue, the Google Information Security Engineering team is planning to explore options to fix this vector as well.

Let's do it. I've written about improving consistency in parsing before: https://x.com/zcorpan/status/1339517144053243906

Although making SVG style and script tokenize like HTML doesn't necessarily solve mXSS, it seems like an improvement. Removing the scripting enabled check for noscript is another, but it would break the feature.

Simon Pieters (@zcorpan) on X

I think we should have designed parsing of SVG/MathML in HTML differently. The choices are still surfacing security bugs. I think there are more to be found, and a simpler design would have prevented them at the cost of breaking some sites in 2008. Thread https://t.co/2vDR89KxeL

X (formerly Twitter)
Show threadMichał Bentkowski (@SecurityMB) 🦻

@zcorpan I think we'd have to ensure consistency for all tags, including `<xmp>` for example, right?

I assume we'd need to add some use counters first. My intuition is that we'd have to check whether tags such as <script> or <style> in non-HTML namespaces have non-text-nodes as children. Is there something else?

Jun 19, 2025 at 9:49amWeb
Show threadSimon PietersJun 23, 2025

@securitymb Right. But script and style are actual SVG elements so those are likely most risky compat-wise.

Elements or character references or CDATA sections, or even comments.

Show threadMichał Bentkowski (@SecurityMB) 🦻Jun 24, 2025
@zcorpan Do you think we should create a spec issue for this? Or would a Chromium bug be enough for now? I'd just like to discuss some details before implementing the use counters. Those places seems more appropriate for that than Mastodon 😅
Show threadSimon PietersJun 25, 2025
@securitymb Good point! Filed https://github.com/whatwg/html/issues/11397
[mXSS] Consider making HTML parsing of `style`, `script`, `xmp` etc consistent between SVG, MathML, HTML · Issue #11397 · whatwg/html

What is the issue with the HTML Standard? Elements that are parsed as RAWTEXT or RCDATA in HTML context but as normal elements in foreign content context have been used for mXSS vectors. Examples: ...

GitHub