FYI, I did a little digging and
title is on a list called
htmlIntegrationElements that seems intended to preserve subtags but escape them, as seen in the above example's output.
I do not see any security issue here because the tags do get escaped, not passed through as live tags, but I share the OP's curiosity as to why this treatment is applied specially to title tags. Is there a deep legacy issue with how people have historically entered title tags with embedded markup and expected it to be treated as text (escaped)? I can readily see how the earliest browsers might have done that (since I was there at the time and recall how messy it all was).
This was introduced in #483. As @boutell says, this treatment aligns with the spec.
One thing that could be done by a sanitizer is to encode entities, which might make things clearer for users. I could see a stream of bug reports coming your way though where people don't want to distort their pristine HTML.
|Issue Title||Created Date||Updated Date|