Re: [xsl] HTML5 semantics and XSLT

On Wed, 23 Feb 2022 at 16:30, Piez, Wendell A. (Fed) wendell.piez@xxxxxxxx <
xsl-list-service@xxxxxxxxxxxxxxxxxxxxxx> wrote:

> Friends,
>
>
>
> Starting from an interesting post at
> https://blog.sonarsource.com/horde-webmail-account-takeover-via-email
> (brought to my attention by a colleague) b&
>
>
>
> Amazingly, it appears to be true that opened in a current web browser, a
> document like the following will proceed to execute the script it contains.
>
>
>
> <!DOCTYPE html>
> <html xmlns="http://www.w3.org/1999/xhtml";>
>     <head>
>         <title>Boo?</title>
>     </head>
>     <body>
>
>
>     </body>
> </html>
>


Isn't this expected? if you parse as html then the xmlns attribute is
ignored so that's just a normal html element with a standard JavaScript
script.
If you serve it at text/xml and parse as xhtml then things would b
different.

David




>
>
> NB: yes, that supposed MathML is bogus. FWIW this is also different from
> the code snippet in the post, which isn't actually realistic. But it
> documents a real phenomenon.
>
>
>
> The reason I remark on this is that (as noted in the post) it implies that
> any template such as this (copied from a widely distributed library), when
> targeting HTML, might be problematic on some uncontrolled inputs:
>
>
>
> <xsl:template match="*" mode="math">
>
>    <xsl:element name="{local-name()}" namespace=
> http://www.w3.org/1998/Math/MathML>
>
>        <xsl:apply-templates select="@*|node()" mode="math"/>
>
>    </xsl:element>
>
> </xsl:template>
>
>
>
> Might this need to be defended, maybe by emitting a prefix on every
> element name it makes?
>
>
>
> <xsl:template match="*" mode="math">
>
>    <xsl:element name="mml:{local-name()}" namespace=
> http://www.w3.org/1998/Math/MathML>
>
>        <xsl:apply-templates select="@*|node()" mode="math"/>
>
>    </xsl:element>
>
> </xsl:template>
>
>
>
> Otherwise, at least as reported in the post cited above, an OpenOffice
> document, when previewed in certain execution contexts, can act much like a
> Word document with embedded malware.
>
>
>
> Comments?
>
>
>
> Regards, Wendell
>
>
> XSL-List info and archive <http://www.mulberrytech.com/xsl/xsl-list>
> EasyUnsubscribe <http://lists.mulberrytech.com/unsub/xsl-list/2739265> (by
> email <>)

Current Thread
Re: [xsl] HTML5 semantics and XSLT, (continued) Piez, Wendell A. (Fed) wendell.piez@xxxxxxxx - 23 Feb 2022 19:33:52 -0000 Piez, Wendell A. (Fed) wendell.piez@xxxxxxxx - 23 Feb 2022 19:42:52 -0000 Liam R. E. Quin liam@xxxxxxxxxxxxxxxx - 24 Feb 2022 00:55:32 -0000 Norm Tovey-Walsh ndw@xxxxxxxxxx - 23 Feb 2022 16:51:19 -0000 David Carlisle d.p.carlisle@xxxxxxxxx - 23 Feb 2022 17:00:36 -0000 <= David Carlisle d.p.carlisle@xxxxxxxxx - 23 Feb 2022 17:10:56 -0000 Piez, Wendell A. (Fed) wendell.piez@xxxxxxxx - 23 Feb 2022 19:22:14 -0000

Current Thread

Re: [xsl] HTML5 semantics and XSLT, (continued)
- Norm Tovey-Walsh ndw@xxxxxxxxxx - 23 Feb 2022 16:51:19 -0000
- David Carlisle d.p.carlisle@xxxxxxxxx - 23 Feb 2022 17:00:36 -0000 <=
- David Carlisle d.p.carlisle@xxxxxxxxx - 23 Feb 2022 17:10:56 -0000
  - Piez, Wendell A. (Fed) wendell.piez@xxxxxxxx - 23 Feb 2022 19:22:14 -0000

<- Previous	Index	Next ->
Re: [xsl] HTML5 semantics and XSLT, Norm Tovey-Walsh ndw	Thread	Re: [xsl] HTML5 semantics and XSLT, David Carlisle d.p.c
Re: [xsl] HTML5 semantics and XSLT, Norm Tovey-Walsh ndw	Date	Re: [xsl] HTML5 semantics and XSLT, David Carlisle d.p.c
	Month

<-prev [Thread] next->	<-prev [Date] next->
Month Index \| List Home