If title tag is around an iframe tag, then iframe is not recognized as a tag.

This issue has been tracked since 2022-08-18.

Example HTML: <title title=""><iframe src="javascript:javascript:alert(18);"></iframe>test</title>

boutell wrote this answer on 2022-09-02

FYI, I did a little digging and title is on a list called htmlIntegrationElements that seems intended to preserve subtags but escape them, as seen in the above example's output.

I do not see any security issue here because the tags do get escaped, not passed through as live tags, but I share the OP's curiosity as to why this treatment is applied specially to title tags. Is there a deep legacy issue with how people have historically entered title tags with embedded markup and expected it to be treated as text (escaped)? I can readily see how the earliest browsers might have done that (since I was there at the time and recall how messy it all was).

fb55 wrote this answer on 2022-09-02

This was introduced in #483. As @boutell says, this treatment aligns with the spec.

One thing that could be done by a sanitizer is to encode entities, which might make things clearer for users. I could see a stream of bug reports coming your way though where people don't want to distort their pristine HTML.

boutell wrote this answer on 2022-09-02
More Details About Repo
Owner Name fb55
Repo Name htmlparser2
Full Name fb55/htmlparser2
Language TypeScript
Created Date 2011-08-27
Updated Date 2023-03-19
Star Count 3793
Watcher Count 50
Fork Count 370
Issue Count 4


Issue Title Created Date Updated Date