🧵 [1/4] Here is our DOMPurify 3.2.1 bypass, using a namespace confusion technique where each element is initially in a “correct” namespace. When it was allowed, the ‘is’ attribute was not handled correctly, making the attribute content’s regex check obsolete. #mXSS #XSS

Blink: Intent to Deprecate and Remove: Remove auto-detection of ISO-2022-JP charset in HTML bit.ly/3FUL2Je

Vad de som kritiserar mitt stöd för Trump missar är att svensk media ljuger om Trump. Därav har de världsbilder som krockar med min - och med sanningen. För svensk media är inte bra på det sistnämnda. Här mina 50 ex på undermålig svensk USA-rapportering ronieberggren.substack.com/p/femtio-nyans…

Gecko: Intent to Ship: Escape "<" and ">" in attributes when serializing HTML bit.ly/3SK408A

how large are js engines? let's find out: goose.icu/js-engine-size…

This is undoubtedly one of the single greatest moments in presidential history. Donald Trump asked what it will take for him to believe there is no white genocide going on in South Africa. President Cyril Ramaphosa offers a preposterous answer. Donald Trump then plays five

It’s about time. I’ll see myself out 🙈

DOM Explorer - a brilliant HTML hacking tool! yeswehack.github.io/Dom-Explorer/

Here's my blog post about escaping `<>` in attributes and why it makes mXSS harder to exploit!

Maybe time to investigate our options for parsing SVG style/script after bughunters.google.com/blog/503874286…

The State of CSS survey is live! Please take a moment to fill it out 🙂 It really helps us make more informed decisions on how to focus our UI engineering and DevRel efforts! survey.devographics.com/en-US/survey/s…

It appears Safari no longer autodetects EUC-JP when the macOS UI language is Japanese. github.com/zcorpan/autode… (GH Pages adds `charset=utf-8`, so test locally from file: or localhost.)

bugzilla.mozilla.org/show_bug.cgi?i… This is a big change for DOM Clobberers. Firefox Nightly no longer allows native document properties to be overwritten by elements with a name attr, e.g.: <img src=a name=currentScript> <script> alert(document.currentScript)// HTMLScriptElement </script>

I don't know who this will help but I put together a page listing JavaScript APIs that can break Shadow DOM encapsulation :) github.com/masatokinugawa…

Back from vacation. Nice to see github.com/whatwg/html/pu… has been merged and implemented in Chromium and WebKit! The change shipped in Firefox 140 after progressive rollout to verify web compat.

My ahead-of-time JS engine Porffor eliminates JS cold starts on AWS Lambda. 12x faster and 2x cheaper than managed Node. Still very early but these results should speak for themselves :) Blog with details below.

View Transitions are enabled by default in Firefox Nightly, so they're on their way to stable. Give it a test with your current transitions, and give me a shout if anything doesn't look right.

Yay! It's the first Firefox release since I've joined the team, so let's take a look at some of the new developer-facing features in Firefox 142… 🧵