The HTML specification was updated to escape < and > characters in attributes when serializing DOM to HTML strings, helping prevent mutation XSS vulnerabilities. This change affects innerHTML, outerHTML, and getHTML() methods but doesn't impact HTML parsing or DOM APIs like getAttribute(). The update is rolling out in Chrome 138, Firefox 140, and Safari 26, potentially breaking code that relies on innerHTML/outerHTML for attribute extraction and end-to-end tests expecting unescaped characters.
Table of contents
What changedWhat didn't changeWhat won't break?What can break?SummaryAdditional informationSort: