<-prev [Thread] next-> <-prev [Date] next->
Month Index | List Home

Re: [xsl] HTML5 semantics and XSLT

Subject: Re: [xsl] HTML5 semantics and XSLT
From: "Michael Kay mike@xxxxxxxxxxxx" <xsl-list-service@xxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 23 Feb 2022 16:47:03 -0000
I don't think I've understood the significance of the mathml namespace in all
this.

And presumably any harm that can be done using this exploit could equally be
done by executing untrusted HTML in the browser directly?

Michael Kay
Saxonica

> On 23 Feb 2022, at 16:31, Piez, Wendell A. (Fed) wendell.piez@xxxxxxxx
<xsl-list-service@xxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> Friends,
>
> Starting from an interesting post at
https://blog.sonarsource.com/horde-webmail-account-takeover-via-email
<https://blog.sonarsource.com/horde-webmail-account-takeover-via-email>
(brought to my attention by a colleague) b&
>
> Amazingly, it appears to be true that opened in a current web browser, a
document like the following will proceed to execute the script it contains.
>
> <!DOCTYPE html>
> <html xmlns="http://www.w3.org/1999/xhtml <http://www.w3.org/1999/xhtml>">
>     <head>
>         <title>Boo?</title>
>     </head>
>     <body>
>
>     </body>
> </html>
>
> NB: yes, that supposed MathML is bogus. FWIW this is also different from the
code snippet in the post, which isn't actually realistic. But it documents a
real phenomenon.
>
> The reason I remark on this is that (as noted in the post) it implies that
any template such as this (copied from a widely distributed library), when
targeting HTML, might be problematic on some uncontrolled inputs:
>
> <xsl:template match="*" mode="math">
>    <xsl:element name="{local-name()}"
namespace=http://www.w3.org/1998/Math/MathML
<http://www.w3.org/1998/Math/MathML>>
>        <xsl:apply-templates select="@*|node()" mode="math"/>
>    </xsl:element>
> </xsl:template>
>
> Might this need to be defended, maybe by emitting a prefix on every element
name it makes?
>
> <xsl:template match="*" mode="math">
>    <xsl:element name="mml:{local-name()}"
namespace=http://www.w3.org/1998/Math/MathML
<http://www.w3.org/1998/Math/MathML>>
>        <xsl:apply-templates select="@*|node()" mode="math"/>
>    </xsl:element>
> </xsl:template>
>
> Otherwise, at least as reported in the post cited above, an OpenOffice
document, when previewed in certain execution contexts, can act much like a
Word document with embedded malware.
>
> Comments?
>
> Regards, Wendell
>
> XSL-List info and archive <http://www.mulberrytech.com/xsl/xsl-list>
> EasyUnsubscribe <http://lists.mulberrytech.com/unsub/xsl-list/293509> (by
email <>)
Current Thread
<- PreviousIndexNext ->
[xsl] HTML5 semantics and XSLT, Piez, Wendell A. (Fe Thread Re: [xsl] HTML5 semantics and XSLT, Piez, Wendell A. (Fe
[xsl] HTML5 semantics and XSLT, Piez, Wendell A. (Fe Date Re: [xsl] HTML5 semantics and XSLT, Norm Tovey-Walsh ndw
Month