Simon Pieters

@zcorpan
460 Followers
336 Following
153 Posts
Web standards engineer @[email protected]
✍️ https://htmlparser.info & https://wpc.guide
Xhttps://twitter.com/zcorpan
Blueskyhttps://bsky.app/profile/zcorpan.bsky.social
Simon PietersMay 19
@boazsender hey we fixed https://bugzilla.mozilla.org/show_bug.cgi?id=700123
700123 - Implement Fullscreen Keyboard Lock

RESOLVED (avandolder) in Core - DOM: Core & HTML. Last updated 2026-04-26.

Simon PietersJan 16
Frederik Braun �Jan 15

Mozilla is looking for a Staff Security Engineer, Product Security in Remote Canada/US/UK/Germany - https://www.mozilla.org/en-US/careers/position/gh/7539147/

This role expects a significant level of experience in penetration testing, code review, SAST/DAST. (This is not my team, so I won't be able to answer a lot of the typical questions. But you'll get to work on cool products with lots of cool people! :))

Mozilla Careers — Staff Security Engineer, Product Security — Open Positions

Mozilla is hiring a Staff Security Engineer, Product Security in Remote US, Security, Security, Security, Firefox, Firefox, Finance, Security, Security, Marketing, Firefox,…

Mozilla
Simon PietersOct 3, 2025

RE: https://mastodon.social/@MerriNet/115305163473416888

Indeed

Simon PietersSep 19, 2025
Tom SchusterSep 19, 2025

Intutively for a DOM Sanitizer configuration that looks like the following:

{
elements: ["div", "span"],
attributes: ["class"],
}

For a <div> element, which attributes do you think should/would be allowed?

(Boost appreciated)

No attributes
0%
All attributes
0%
Only the "class" attribute
89.5%
Other (please specify)
10.5%
Poll ended at .
Simon PietersSep 18, 2025
BocoupSep 17, 2025
Just published: "The Web's Most Tolerated Feature" by @jugglinmike https://www.bocoup.com/blog/the-webs-most-tolerated-feature
A Worker-Owned Tech Consultancy - Bocoup

Web Platform Consulting Services

Show threadSimon PietersAug 27, 2025
@patrickbrosset @rgadellaa Yep. Thanks!
Show threadSimon PietersAug 26, 2025
@patrickbrosset @rgadellaa Yes. https://html.spec.whatwg.org/multipage/images.html#images:~:text=For%20better%20backwards%2Dcompatibility%20with%20legacy%20user%20agents%20that%20don%27t%20support%20the%20auto%20keyword%2C%20fallback%20sizes%20can%20be%20specified%20if%20desired
HTML Standard

Simon PietersAug 19, 2025
Lea Verou, PhDAug 19, 2025

⚠️ Last chance to fill out #StateOfHTML 2025 and get browsers to pay attention to your web platform pain points!

After popular demand, the survey closing date has been extended for a few more days so that returning OOO folks get a chance to fill it out too!

https://survey.devographics.com/en-US/survey/state-of-html/2025/?source=leaverou

State of HTML 2025

Take the State of HTML survey

State of HTML 2025
Show threadSimon PietersJun 25, 2025
@securitymb Good point! Filed https://github.com/whatwg/html/issues/11397
[mXSS] Consider making HTML parsing of `style`, `script`, `xmp` etc consistent between SVG, MathML, HTML · Issue #11397 · whatwg/html

What is the issue with the HTML Standard? Elements that are parsed as RAWTEXT or RCDATA in HTML context but as normal elements in foreign content context have been used for mXSS vectors. Examples: ...

GitHub
Show threadSimon PietersJun 23, 2025

@securitymb Right. But script and style are actual SVG elements so those are likely most risky compat-wise.

Elements or character references or CDATA sections, or even comments.