Skip to content

Firefox Nightly escapes < and > in attributes when serializing HTML #26688

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
May 9, 2025
Merged

Firefox Nightly escapes < and > in attributes when serializing HTML #26688

merged 7 commits into from
May 9, 2025

Conversation

hamishwillee
Copy link
Contributor

@hamishwillee hamishwillee commented May 2, 2025
edited
Loading

FF139 adds support for escaping < and > to &lt; and &gt; in attributes when serializing HTML in https://bugzilla.mozilla.org/show_bug.cgi?id=1941347. This affects all the obvious methods like innerHTML, outerHTML, getHTML.

This is enabled in nightly from FF139 (associated pref is dom.security.html_serialization_escape_lt_gt)

Some questions inline.

Related docs work can be tracked in mdn/content#39309

@github-actions github-actions bot added data:api Compat data for Web APIs. https://developer.mozilla.org/docs/Web/API size:l [PR only] 101-1000 LoC changed labels May 2, 2025
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented May 2, 2025
edited
Loading

Tip: Review these changes grouped by change (recommended for most PRs), or grouped by feature (for large PRs).

hamishwillee
hamishwillee commented May 2, 2025
View reviewed changes
hamishwillee
hamishwillee commented May 2, 2025
View reviewed changes
hamishwillee
hamishwillee commented May 2, 2025
View reviewed changes
@hamishwillee hamishwillee mentioned this pull request May 2, 2025
Closed
8 tasks
caugner
caugner requested changes May 6, 2025
View reviewed changes
@hamishwillee @caugner
Update api/Element.json
b42816d 
Co-authored-by: Claas Augner <495429+caugner@users.noreply.github.com>
hamishwillee
hamishwillee commented May 6, 2025
View reviewed changes
hamishwillee
hamishwillee commented May 6, 2025
View reviewed changes
hamishwillee
hamishwillee commented May 6, 2025
View reviewed changes
hamishwillee
hamishwillee commented May 6, 2025
View reviewed changes
hamishwillee
hamishwillee commented May 6, 2025
View reviewed changes
hamishwillee
hamishwillee commented May 6, 2025
View reviewed changes
hamishwillee
hamishwillee commented May 6, 2025
View reviewed changes
hamishwillee
hamishwillee commented May 6, 2025
View reviewed changes
hamishwillee
hamishwillee commented May 6, 2025
View reviewed changes
@hamishwillee hamishwillee requested a review from caugner May 6, 2025 22:29
@hamishwillee
Copy link
Contributor Author

Thanks very much for the help @caugner . Updated.

caugner
caugner approved these changes May 7, 2025
View reviewed changes
Copy link
Contributor

@caugner caugner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just one nit: We have subfeatures accepts_*, so escapes_* is preferable to escape_*.

caugner
caugner requested changes May 7, 2025
View reviewed changes
Copy link
Contributor

@caugner caugner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, I missed this: Technically, this is not on the standard-track yet.

@hamishwillee @caugner
Apply suggestions from code review
5128cb4 
Co-authored-by: Claas Augner <495429+caugner@users.noreply.github.com>
@hamishwillee hamishwillee requested a review from caugner May 9, 2025 00:57
@hamishwillee
Copy link
Contributor Author

Sorry, I missed this: Technically, this is not on the standard-track yet.

Sorry I missed that too. Merged all those.

caugner
caugner approved these changes May 9, 2025
View reviewed changes
Copy link
Contributor

@caugner caugner left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just one non-blocking comment.

api/ShadowRoot.json
"description": "Serializes `<` and `>` in attributes as `&amp;lt;` and `&amp;gt;` (see [this spec issue](https://github.com/whatwg/html/issues/6235))",
"support": {
"chrome": {
"version_added": false
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we know if Chromium intentionally doesn't implement this?

Otherwise, would it make sense to ask in https://issues.chromium.org/issues/40747109, and add this bug as impl_url here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably - at the end it says "Currently, there's an ongoing finch experiment to enable escaping for 50% of Canary, Dev and Beta and 1% of Stable. As far as I'm aware, there's been no complaints so far."

I'm mostly interested in Firefox :-)

@caugner caugner changed the title FF139 attributes in serialized HTML escaped for < and > Firefox Nightly escapes < and > in attributes when serializing HTML May 9, 2025
@caugner caugner merged commit 0c67b2d into main May 9, 2025
11 checks passed
@caugner caugner deleted the ff139_escape_attributes_when_serializing branch May 9, 2025 14:03
@mdn-bot mdn-bot mentioned this pull request May 9, 2025
Merged
@CASERGN

This comment was marked as spam.

Sign in to view
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@caugner caugner caugner approved these changes

Assignees
No one assigned
Labels
data:api Compat data for Web APIs. https://developer.mozilla.org/docs/Web/API size:l [PR only] 101-1000 LoC changed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@hamishwillee @CASERGN @caugner