RE: https://mastodon.social/@MerriNet/115305163473416888

Indeed

Intutively for a DOM Sanitizer configuration that looks like the following:

{
elements: ["div", "span"],
attributes: ["class"],
}

For a <div> element, which attributes do you think should/would be allowed?

(Boost appreciated)

Just published: "The Web's Most Tolerated Feature" by @jugglinmike https://www.bocoup.com/blog/the-webs-most-tolerated-feature

@patrickbrosset @rgadellaa Yep. Thanks!

@patrickbrosset @rgadellaa Yes. https://html.spec.whatwg.org/multipage/images.html#images:~:text=For%20better%20backwards%2Dcompatibility%20with%20legacy%20user%20agents%20that%20don%27t%20support%20the%20auto%20keyword%2C%20fallback%20sizes%20can%20be%20specified%20if%20desired

⚠️ Last chance to fill out #StateOfHTML 2025 and get browsers to pay attention to your web platform pain points!

After popular demand, the survey closing date has been extended for a few more days so that returning OOO folks get a chance to fill it out too!

https://survey.devographics.com/en-US/survey/state-of-html/2025/?source=leaverou

@securitymb Good point! Filed https://github.com/whatwg/html/issues/11397

@securitymb Right. But script and style are actual SVG elements so those are likely most risky compat-wise.

Elements or character references or CDATA sections, or even comments.

@asuh @keithamus @bramus can you expand on why widows & orphans? Do you want them for print or multicol?

If you use "AI agents" (LLMs calling tools in a loop) you need to be aware of the Lethal Trifecta

Any time you combine access to private data, exposure to untrusted content and the ability to externally communicate an attacker can trick the system into stealing your data https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/

@securitymb

> While there’s currently no proposal that addresses this issue, the Google Information Security Engineering team is planning to explore options to fix this vector as well.

Let's do it. I've written about improving consistency in parsing before: https://x.com/zcorpan/status/1339517144053243906

Although making SVG style and script tokenize like HTML doesn't necessarily solve mXSS, it seems like an improvement. Removing the scripting enabled check for noscript is another, but it would break the feature.

Today we published two blog posts about an HTML specification change that makes mutation XSS harder to exploit! Long story short: `<` and `>` are now escaped in attributes.

* Blog post about security rationale behind this change: https://bughunters.google.com/blog/5038742869770240/escaping-and-in-attributes-how-it-helps-protect-against-mutation-xss
* Blog post about how it affects web developers: https://developer.chrome.com/blog/escape-attributes?hl=en

Remember this tiny change to the HTML spec?

It just prevented a critical bug in an application we are currently testing.

https://github.com/whatwg/html/commit/e21bd3b4a94bfdbc23d863128e0b207be9821a0f

❤️ cc @freddy @securitymb

@cure53 @freddy @securitymb Yay!

@bkardell @Schepp @timsev @Kilian @keithamus there was pushback to implement the a11y mapping in 2014, see https://www.w3.org/Bugs/Public/show_bug.cgi?id=25003

In 2019, Firefox implemented (in Nightly only) the outline algorithm and found that it regressed usability for various existing content:
https://github.com/whatwg/html/pull/3499#issuecomment-544876110
https://bugzilla.mozilla.org/show_bug.cgi?id=1590366

That I think was the nail in the coffin for the outline algorithm.

@eeeps thank you or thank you

I wrote an article that was #1 on the orange website for a bit earlier today

https://news.ycombinator.com/item?id=43649853

Starting March 31, 50% of Firefox beta 138 users will have the change where <h1> always has the same UA style, even in article, aside, nav, section.

Also, Lighthouse will fail a check if you have an <h1> without font-size specified.

Advice for web developers: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/Heading_Elements#specifying_a_uniform_font_size_for_h1

Context: https://mastodon.social/@zcorpan/113839012551439287

@eeeps @johannes it seems possible. Though changing object-fit would need to be a relevant mutation. File an issue 🙂

Last week I did a little talk on the brand new command&commandfor attributes! And you can watch it right here:

https://londonwebstandards.org/talks/everything-you-need-to-know-about-invoker-commands/