Escape "<" and ">" when serializing attribute values

zcorpan · zcorpan · commit ac056b2ada33 · 2021-02-05T11:20:22.000+01:00
Avoid a class of XSS attacks where markup goes through a lossy parse-serialize-parse roundtrip and the original attribute value is parsed in the data state. This reverts 4eeb8a1. Fixes #6235.
diff --git a/source b/source
@@ -112246,14 +112246,15 @@ console.assert(container.firstChild instanceof SuperP);
    <li><p>Replace any occurrences of the U+00A0 NO-BREAK SPACE character by the string "<code
    data-x="">&amp;nbsp;</code>".</p></li>
 
-   <li><p>If the algorithm was invoked in the <i>attribute mode</i>, replace any occurrences of the
-   "<code data-x="">&quot;</code>" character by the string "<code
-   data-x="">&amp;quot;</code>".</p></li>
+   <li><p>Replace any occurrences of the "<code data-x="">&lt;</code>" character by the string
+   "<code data-x="">&amp;lt;</code>".</p></li>
+
+   <li><p>Replace any occurrences of the "<code data-x="">&gt;</code>" character by the string
+   "<code data-x="">&amp;gt;</code>".</p></li>
 
-   <li><p>If the algorithm was <em>not</em> invoked in the <i>attribute mode</i>, replace any
-   occurrences of the "<code data-x="">&lt;</code>" character by the string "<code
-   data-x="">&amp;lt;</code>", and any occurrences of the "<code data-x="">&gt;</code>" character by
-   the string "<code data-x="">&amp;gt;</code>".</p></li>
+   <li><p>If the algorithm was invoked in the <i>attribute mode</i>, then replace any occurrences of
+   the "<code data-x="">&quot;</code>" character by the string "<code
+   data-x="">&amp;quot;</code>".</p></li>
   </ol>
 
 
