Subject: [xsl] HTML5 semantics and XSLT From: "Piez, Wendell A. (Fed) wendell.piez@xxxxxxxx" <xsl-list-service@xxxxxxxxxxxxxxxxxxxxxx> Date: Wed, 23 Feb 2022 16:30:45 -0000 |
Friends, Starting from an interesting post at https://blog.sonarsource.com/horde-webmail-account-takeover-via-email (brought to my attention by a colleague) ... Amazingly, it appears to be true that opened in a current web browser, a document like the following will proceed to execute the script it contains. <!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Boo?</title> </head> <body> </body> </html> NB: yes, that supposed MathML is bogus. FWIW this is also different from the code snippet in the post, which isn't actually realistic. But it documents a real phenomenon. The reason I remark on this is that (as noted in the post) it implies that any template such as this (copied from a widely distributed library), when targeting HTML, might be problematic on some uncontrolled inputs: <xsl:template match="*" mode="math"> <xsl:element name="{local-name()}" namespace=http://www.w3.org/1998/Math/MathML> <xsl:apply-templates select="@*|node()" mode="math"/> </xsl:element> </xsl:template> Might this need to be defended, maybe by emitting a prefix on every element name it makes? <xsl:template match="*" mode="math"> <xsl:element name="mml:{local-name()}" namespace=http://www.w3.org/1998/Math/MathML> <xsl:apply-templates select="@*|node()" mode="math"/> </xsl:element> </xsl:template> Otherwise, at least as reported in the post cited above, an OpenOffice document, when previewed in certain execution contexts, can act much like a Word document with embedded malware. Comments? Regards, Wendell
Current Thread |
---|
|
<- Previous | Index | Next -> |
---|---|---|
Re: [xsl] Functional Equivalent of , Don Smith dsmith_loc | Thread | Re: [xsl] HTML5 semantics and XSLT, Michael Kay mike@xxx |
Re: [xsl] Functional Equivalent of , Don Smith dsmith_loc | Date | Re: [xsl] HTML5 semantics and XSLT, Michael Kay mike@xxx |
Month |