From 4f7933d4a07801381bf0c691a6a23ca65ac0aba9 Mon Sep 17 00:00:00 2001 From: Hamish Willee Date: Fri, 2 May 2025 14:33:24 +1000 Subject: [PATCH 1/2] FF139 Relnote: ExprFeat Escape < and > in attributes when serialize HTML --- files/en-us/mozilla/firefox/releases/139/index.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/files/en-us/mozilla/firefox/releases/139/index.md b/files/en-us/mozilla/firefox/releases/139/index.md index 539564e316220fc..fe572aa82ee3468 100644 --- a/files/en-us/mozilla/firefox/releases/139/index.md +++ b/files/en-us/mozilla/firefox/releases/139/index.md @@ -68,6 +68,10 @@ This article provides information about the changes in Firefox 139 that affect d These features are newly shipped in Firefox 139 but are disabled by default. To experiment with them, search for the appropriate preference on the `about:config` page and set it to `true`. You can find more such features on the [Experimental features](/en-US/docs/Mozilla/Firefox/Experimental_features) page. +- **Escape `<` and `>` in attributes when serializing HTML** `dom.security.html_serialization_escape_lt_gt`. + The browser replaces the `<` and `>` characters with `<` and `>` (respectively) in attributes when serializing HTML, which prevents certain exploits where HTML is serialized and then injected back into the DOM. + The affected methods and properties are: {{domxref("Element.innerHTML")}}, {{domxref("Element.outerHTML")}}, {{domxref("Element.getHTML()")}}, {{domxref("ShadowRoot.innerHTML")}}, and {{domxref("ShadowRoot.getHTML()")}}. ([Firefox bug 1941347](https://bugzil.la/1941347)) + ## Older versions {{Firefox_for_developers}} From bb89fffacf99e5a628cf88310ce23813fe45537c Mon Sep 17 00:00:00 2001 From: Hamish Willee Date: Mon, 5 May 2025 10:08:25 +1000 Subject: [PATCH 2/2] Apply suggestions from code review Co-authored-by: Dipika Bhattacharya --- files/en-us/mozilla/firefox/releases/139/index.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/files/en-us/mozilla/firefox/releases/139/index.md b/files/en-us/mozilla/firefox/releases/139/index.md index fe572aa82ee3468..920a9423fb158f7 100644 --- a/files/en-us/mozilla/firefox/releases/139/index.md +++ b/files/en-us/mozilla/firefox/releases/139/index.md @@ -68,9 +68,9 @@ This article provides information about the changes in Firefox 139 that affect d These features are newly shipped in Firefox 139 but are disabled by default. To experiment with them, search for the appropriate preference on the `about:config` page and set it to `true`. You can find more such features on the [Experimental features](/en-US/docs/Mozilla/Firefox/Experimental_features) page. -- **Escape `<` and `>` in attributes when serializing HTML** `dom.security.html_serialization_escape_lt_gt`. - The browser replaces the `<` and `>` characters with `<` and `>` (respectively) in attributes when serializing HTML, which prevents certain exploits where HTML is serialized and then injected back into the DOM. - The affected methods and properties are: {{domxref("Element.innerHTML")}}, {{domxref("Element.outerHTML")}}, {{domxref("Element.getHTML()")}}, {{domxref("ShadowRoot.innerHTML")}}, and {{domxref("ShadowRoot.getHTML()")}}. ([Firefox bug 1941347](https://bugzil.la/1941347)) +- **Support for escaping `<` and `>` in attributes when serializing HTML**: `dom.security.html_serialization_escape_lt_gt`. + Firefox now replaces the `<` and `>` characters with `<` and `>`, respectively, in attributes when serializing HTML. This helps prevent certain exploits where HTML is serialized and then injected back into the DOM. + The affected methods and properties are: {{domxref("Element.innerHTML")}}, {{domxref("Element.outerHTML")}}, {{domxref("Element.getHTML()")}}, {{domxref("ShadowRoot.innerHTML")}}, and {{domxref("ShadowRoot.getHTML()")}}. ([Firefox bug 1941347](https://bugzil.la/1941347)). ## Older versions