Example HTML: <title title=""><iframe src="javascript:javascript:alert(18);"></iframe>test</title>
FYI, I did a little digging and title is on a list called htmlIntegrationElements that seems intended to preserve subtags but escape them, as seen in the above example's output.
I do not see any security issue here because the tags do get escaped, not passed through as live tags, but I share the OP's curiosity as to why this treatment is applied specially to title tags. Is there a deep legacy issue with how people have historically entered title tags with embedded markup and expected it to be treated as text (escaped)? I can readily see how the earliest browsers might have done that (since I was there at the time and recall how messy it all was).
This was introduced in #483. As @boutell says, this treatment aligns with the spec.
One thing that could be done by a sanitizer is to encode entities, which might make things clearer for users. I could see a stream of bug reports coming your way though where people don't want to distort their pristine HTML.
| Owner Name | fb55 |
| Repo Name | htmlparser2 |
| Full Name | fb55/htmlparser2 |
| Language | TypeScript |
| Created Date | 2011-08-27 |
| Updated Date | 2023-03-19 |
| Star Count | 3793 |
| Watcher Count | 50 |
| Fork Count | 370 |
| Issue Count | 4 |
| Issue Title | Created Date | Updated Date |
|---|