Mozilla is looking for a Staff Security Engineer, Product Security in Remote Canada/US/UK/Germany - https://www.mozilla.org/en-US/careers/position/gh/7539147/

This role expects a significant level of experience in penetration testing, code review, SAST/DAST. (This is not my team, so I won't be able to answer a lot of the typical questions. But you'll get to work on cool products with lots of cool people! :))

Intutively for a DOM Sanitizer configuration that looks like the following:

{
elements: ["div", "span"],
attributes: ["class"],
}

For a <div> element, which attributes do you think should/would be allowed?

(Boost appreciated)

⚠️ Last chance to fill out #StateOfHTML 2025 and get browsers to pay attention to your web platform pain points!

After popular demand, the survey closing date has been extended for a few more days so that returning OOO folks get a chance to fill it out too!

https://survey.devographics.com/en-US/survey/state-of-html/2025/?source=leaverou

If you use "AI agents" (LLMs calling tools in a loop) you need to be aware of the Lethal Trifecta

Any time you combine access to private data, exposure to untrusted content and the ability to externally communicate an attacker can trick the system into stealing your data https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/

Today we published two blog posts about an HTML specification change that makes mutation XSS harder to exploit! Long story short: `<` and `>` are now escaped in attributes.

* Blog post about security rationale behind this change: https://bughunters.google.com/blog/5038742869770240/escaping-and-in-attributes-how-it-helps-protect-against-mutation-xss
* Blog post about how it affects web developers: https://developer.chrome.com/blog/escape-attributes?hl=en

Remember this tiny change to the HTML spec?

It just prevented a critical bug in an application we are currently testing.

https://github.com/whatwg/html/commit/e21bd3b4a94bfdbc23d863128e0b207be9821a0f

❤️ cc @freddy @securitymb