Mastodon Feed: Post

Mastodon FeedJun 12, 2025, 8:18 PM

Boosted by kornel ("Kornel"):
securitymb@infosec.exchange ("Michał Bentkowski (@SecurityMB) 🦻") wrote:

Today we published two blog posts about an HTML specification change that makes mutation XSS harder to exploit! Long story short: `<` and `>` are now escaped in attributes.

* Blog post about security rationale behind this change: https://bughunters.google.com/blog/5038742869770240/escaping-and-in-attributes-how-it-helps-protect-against-mutation-xss
* Blog post about how it affects web developers: https://developer.chrome.com/blog/escape-attributes?hl=en