FF139 Relnote - Escape < and > in attributes when serializing HTML (#39364)

hamishwillee · dipikabh · web-flow · commit f4651c13078d · 2025-05-05T10:09:41.000+10:00
* FF139 Relnote: ExprFeat Escape &lt; and &gt; in attributes when serialize HTML

* Apply suggestions from code review

Co-authored-by: Dipika Bhattacharya &lt;dipika@foss-community.org&gt;

---------

Co-authored-by: Dipika Bhattacharya &lt;dipika@foss-community.org&gt;
diff --git a/files/en-us/mozilla/firefox/releases/139/index.md b/files/en-us/mozilla/firefox/releases/139/index.md
@@ -72,6 +72,10 @@ This article provides information about the changes in Firefox 139 that affect d
 
 These features are newly shipped in Firefox 139 but are disabled by default. To experiment with them, search for the appropriate preference on the `about:config` page and set it to `true`. You can find more such features on the [Experimental features](/en-US/docs/Mozilla/Firefox/Experimental_features) page.
 
+- **Support for escaping `<` and `>` in attributes when serializing HTML**: `dom.security.html_serialization_escape_lt_gt`.
+  Firefox now replaces the `<` and `>` characters with `&lt;` and `&gt;`, respectively, in attributes when serializing HTML. This helps prevent certain exploits where HTML is serialized and then injected back into the DOM.
+  The affected methods and properties are: {{domxref("Element.innerHTML")}}, {{domxref("Element.outerHTML")}}, {{domxref("Element.getHTML()")}}, {{domxref("ShadowRoot.innerHTML")}}, and {{domxref("ShadowRoot.getHTML()")}}. ([Firefox bug 1941347](https://bugzil.la/1941347)).
+
 ## Older versions
 
 {{Firefox_for_developers}}
