[xsl] HTML5 semantics and XSLT

Subject: [xsl] HTML5 semantics and XSLT
From: "Piez, Wendell A. (Fed) wendell.piez@xxxxxxxx" <xsl-list-service@xxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 23 Feb 2022 16:30:45 -0000

Starting from an interesting post at
https://blog.sonarsource.com/horde-webmail-account-takeover-via-email (brought
to my attention by a colleague) ...

Amazingly, it appears to be true that opened in a current web browser, a
document like the following will proceed to execute the script it contains.

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml";>


NB: yes, that supposed MathML is bogus. FWIW this is also different from the
code snippet in the post, which isn't actually realistic. But it documents a
real phenomenon.

The reason I remark on this is that (as noted in the post) it implies that any
template such as this (copied from a widely distributed library), when
targeting HTML, might be problematic on some uncontrolled inputs:

<xsl:template match="*" mode="math">
   <xsl:element name="{local-name()}"
       <xsl:apply-templates select="@*|node()" mode="math"/>

Might this need to be defended, maybe by emitting a prefix on every element
name it makes?

<xsl:template match="*" mode="math">
   <xsl:element name="mml:{local-name()}"
       <xsl:apply-templates select="@*|node()" mode="math"/>

Otherwise, at least as reported in the post cited above, an OpenOffice
document, when previewed in certain execution contexts, can act much like a
Word document with embedded malware.


Regards, Wendell

Current Thread