Today we published two blog posts about an HTML specification change that makes mutation XSS harder to exploit! Long story short: `<` and `>` are now escaped in attributes.
* Blog post about security rationale behind this change: 
* Blog post about how it affects web developers: 
Blog: Escaping '<' and '>' in attributes – How it helps protect against mutation XSS
The HTML specification has been updated to escape '<' and '>' in attributes to prevent mutation XSS (mXSS) vulnerabilities. This post details the r...
Chrome for Developers
HTML spec change: escaping < and > in attributes | Blog | Chrome for Developers
What you need to know about this change to how attributes are escaped.