[German]A small note from the "world of web browsers". There is a discussion in the Chromium bug tracker about angle brackets ("<" and ">"), which can occur as characters in HTML attributes or innerHTML elements. Escape handling is now to be introduced to prevent mXSS attacks. However, this could "break" the Chromium browsers (and other browsers).
What is mXSS?
mXSS stands for "mutation cross-site scripting". According to this source, this cross-site scripting vector (XSS) was discovered by Hasegawa back in 2007. The researcher had come across an incorrect use of the backtick character (` ) in a browser implementation. While this initially looked like an implementation error, it turned out that the first example of a new class of XSS vectors, later referred to as mutation-based XSS vectors (mXSS), had been discovered. These mXSS vectors can occur in innerHTML and related properties.
Specifically, it is about characters that can occur in HTML attributes and tags. For example, the angle brackets ("<" and ">") that actually characterize HTML tags in HTML could also appear as characters in the values of attributes of these tags.
The browser would then have to initiate an escape sequence that ensures that the characters are interpreted as values and not as introductory and closing angle brackets for HTML tags. Or HTML tags are nested incorrectly, as in the following instruction:
<form id="outer"><div></form><form id="inner"><input>
Using the corresponding characters ("<" and ">") in an attribute of an HTML tag, an attacker could embed malicious code in a website or web app, which is then evaluated and executed. There is an mXSS Cheat Sheet with examples on GitHub. mXSS affects all three major browser families: IE, Firefox and Chrome.
What is the Chromium discussion about?
The handling of mXSS codes in innerHTML elements is not solved in the Chrome browser implementations. Instead of initiating an escape sequence, the content is parsed and executed.
I recently came across the above post by Lukasz Olejnik on the topic, which has been discussed in the Chromium Issues Tracker since February 2025 under Escape "<" and ">" when escaping HTML attribute values to avoid mXSS.
There is a pull request Escape "<" and ">" when serializing attribute values #6362, to eliminate mXSS attacks in the Chromium browser. Someone points out that the compatibility implications for the web for this change are not yet known.
What is known is that the change in current behavior goes back to 2008 (or probably 2011 for WebKit) where this implementation was shipped. If mXSS protection was implemented in browsers, this could lead to serious issues rendering web sites.
