Table of Contents
- Will Escaping Angle Brackets in innerHTML Break the Web? Unveiling the Urgent Chromium Issue!
- What Is mXSS (Mutation Cross-Site Scripting)?
- Why Are Angle Brackets a Problem?
- Example of the Issue
- The Chromium Security Proposal
- Key Points from the Chromium Discussion
- Potential Impacts
- What Should Developers and Site Owners Do?
- Summary
Will Escaping Angle Brackets in innerHTML Break the Web? Unveiling the Urgent Chromium Issue!
Web browsers are facing a significant security challenge that could have far-reaching effects on website compatibility and user experience. A recent discussion in the Chromium bug tracker highlights plans to change how browsers handle angle brackets (“<” and “>”) within HTML attributes and the innerHTML property, aiming to prevent a dangerous vulnerability known as mutation cross-site scripting (mXSS).
What Is mXSS (Mutation Cross-Site Scripting)?
- mXSS stands for mutation cross-site scripting, a type of security vulnerability first identified in 2007 by researcher Masato Hasegawa.
- It occurs when browsers incorrectly handle certain characters—like backticks or angle brackets—inside HTML, allowing attackers to inject and execute malicious code.
- mXSS exploits often target how browsers parse and mutate HTML through properties like innerHTML, making it possible for harmful scripts to slip through even if input is sanitized.
Why Are Angle Brackets a Problem?
- Angle brackets (“<” and “>”) define the start and end of HTML tags.
- If these characters appear inside attribute values or as part of dynamic HTML (e.g., through innerHTML), browsers can become confused—sometimes interpreting them as actual tags instead of plain text.
- This confusion can allow attackers to inject code, leading to security breaches.
Example of the Issue
<form id=”outer”><div></form><form id=”inner”><input>
If angle brackets are not properly escaped, browsers may misinterpret the HTML structure, opening the door for malicious code execution.
The Chromium Security Proposal
Chromium developers are considering automatically escaping “<” and “>” in attribute values to block mXSS attacks. This change is under review (see pull request #6362) and is intended to make it harder for attackers to exploit browser parsing quirks. However, this fix could have unintended negative consequences for web compatibility, potentially breaking websites that rely on the current behavior.
Key Points from the Chromium Discussion
- The current browser behavior dates back to as early as 2008, with similar implementations in WebKit since around 2011.
- No one yet knows the full impact this change could have on the modern web. Many sites may depend on the existing parsing logic.
- If browsers start escaping these characters by default, some web pages and apps might not render or function as intended, leading to serious disruptions.
Potential Impacts
Positive: Improved security by closing a critical loophole that allows mXSS attacks.
Negative: Risk of breaking existing websites, web applications, and browser-based tools that rely on the traditional handling of angle brackets in HTML.
What Should Developers and Site Owners Do?
- Stay informed about upcoming browser changes related to mXSS protections.
- Test your websites and applications with browser beta versions that include these changes.
- Review and update code that uses innerHTML or dynamically sets HTML attributes, ensuring proper escaping and sanitization.
Summary
The proposed changes to how browsers handle angle brackets in HTML aim to enhance security but could also disrupt website compatibility. Developers should be proactive in understanding and preparing for these changes to minimize negative impacts while benefiting from improved browser security.