fix(packages): escape HTML special chars in serializeAttributes to prevent XSS

[Jerricho93]

Summary

serializeAttributes interpolated attribute values directly into HTML strings without encoding. Because the result is assigned to shadowRoot.innerHTML at construction time, and Shadow DOM does not sandbox script execution, any attribute value containing " (e.g. a user-controlled poster, src, or crossorigin) could break out of the attribute and inject event handlers or <script> siblings into the shadow root.

Changes per sink:

• utils: add private escapeAttributeValue that encodes &, <, >, " (ampersand first to prevent double-encoding); apply in serializeAttributes
• html/BackgroundVideo: remove the local duplicate serializeAttributes; import the shared util and pick against the existing attribute allowlist
• html/define/background: remove dead _attrs parameter (was passed to a template that never interpolated it)
• icons/scripts/build: inline esc() in the generated renderIcon function body to close the codegen sink
• site/build-ejected-skins: extend the partial local escapeAttributeValue to also cover < and >

Testing

• New packages/utils/src/dom/tests/attributes.test.ts: 9 cases covering all four chars, boolean branch, ampersand-first ordering regression, and namedNodeMapToObject raw-value preservation
• New packages/html/src/media/background-video/tests/background-video.test.ts: quote breakout, angle-bracket injection, non-allowlisted attribute filtering, boolean attrs, safe value round-trip
• Extended packages/core/.../custom-media-element.test.ts: describe('XSS prevention') with 4 cases
• New apps/e2e/tests/xss-prevention.spec.ts: 3 Playwright tests exercising the construction-time path via container.innerHTML

Validation

pnpm -F @videojs/utils test src/dom/tests/attributes.test.ts
pnpm -F @videojs/core test src/dom/media/custom-media-element
pnpm -F @videojs/html test src/media/background-video
pnpm test:e2e:vite
pnpm typecheck
pnpm lint

Known issue (follow-up)

CustomMediaElement has a pre-existing attribute routing inconsistency: getAttrsFromProps uses .toLowerCase() to build observedAttributes (e.g. crossorigin, controlslist, disableremoteplayback), while #define uses kebabCase to key mediaHostAttrToProp (e.g. cross-origin, controls-list, disable-remote-playback). Because these never match, multi-word attributes are never added to the disallowed set and always flow through serializeAttributes rather than attributeChangedCallback. This means post-construction setAttribute calls for those attributes do not sync to the media host setter. This fix makes serializeAttributes safe, closing the injection vector — but the routing inconsistency itself should be tracked and corrected separately.

Closes #1562

---

Note

Medium Risk
Security fix on construction-time shadow HTML for media elements; behavior change is limited to escaping special characters in serialized attributes, with broad test coverage but many call sites rely on the shared helper.

Overview
Closes an XSS path where attribute values were interpolated into shadowRoot.innerHTML without encoding, so crafted poster, src, crossorigin, etc. could break out of quotes and inject markup or handlers in custom media shadow roots.

serializeAttributes now runs values through a shared escapeHtml helper (&, <, >, ", with & first). BackgroundVideo drops its local serializer and uses the shared util with an explicit video-attribute allowlist; background-video-skin stops passing unused attrs into its template. Icon renderIcon codegen and ejected-skin media-icon HTML apply the same escaping for dynamic attribute strings.

Coverage adds unit tests for escapeHtml / serializeAttributes, XSS cases for CustomMediaElement and BackgroundVideo, and Playwright checks on hls-video construction via innerHTML.

^{Reviewed by Cursor Bugbot for commit d222690. Bugbot is set up for automated code reviews on this repo. Configure here.}

[vercel]

@Jerricho93 is attempting to deploy a commit to the Mux Team on Vercel.

A member of the Team first needs to authorize it.

[netlify]

👷 Deploy request for vjs10-site pending review.

Visit the deploys page to approve it

Name	Link
🔨 Latest commit	d222690

[luwes]

👍

[luwes]

can we move this to its own file and name it more generic escapeHtml(). it's pretty common as utility.
https://github.com/videojs/v10/blob/440145e9de980fda317b11ae2b7ee3abdc7e3ff7/packages/utils/src/string/escape-html.ts#L10

[Jerricho93]

Updated!

[luwes]

why is this removed?

[Jerricho93]

The _attrs parameter is not being used here. If we were to accept attrs in getTemplateHTML without escaping, it would introduce the same issues we're fixing with this PR. If there is a plan in the future to add this (by removing _ to attrs), we can reintroduce it and add the escape logic now. Does it makes sense? Otherwise, at this point in time in the code, this is effectively dead code

[luwes]

would like some small changes but looks good overall!

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 449c141. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
v10-sandbox	Ready	Preview, Comment	Jun 10, 2026 8:03pm