Subject: Re: [xsl] HTML5 semantics and XSLT From: "David Carlisle d.p.carlisle@xxxxxxxxx" <xsl-list-service@xxxxxxxxxxxxxxxxxxxxxx> Date: Wed, 23 Feb 2022 17:00:36 -0000 |
On Wed, 23 Feb 2022 at 16:30, Piez, Wendell A. (Fed) wendell.piez@xxxxxxxx < xsl-list-service@xxxxxxxxxxxxxxxxxxxxxx> wrote: > Friends, > > > > Starting from an interesting post at > https://blog.sonarsource.com/horde-webmail-account-takeover-via-email > (brought to my attention by a colleague) b& > > > > Amazingly, it appears to be true that opened in a current web browser, a > document like the following will proceed to execute the script it contains. > > > > <!DOCTYPE html> > <html xmlns="http://www.w3.org/1999/xhtml"> > <head> > <title>Boo?</title> > </head> > <body> > > > </body> > </html> > Isn't this expected? if you parse as html then the xmlns attribute is ignored so that's just a normal html element with a standard JavaScript script. If you serve it at text/xml and parse as xhtml then things would b different. David > > > NB: yes, that supposed MathML is bogus. FWIW this is also different from > the code snippet in the post, which isn't actually realistic. But it > documents a real phenomenon. > > > > The reason I remark on this is that (as noted in the post) it implies that > any template such as this (copied from a widely distributed library), when > targeting HTML, might be problematic on some uncontrolled inputs: > > > > <xsl:template match="*" mode="math"> > > <xsl:element name="{local-name()}" namespace= > http://www.w3.org/1998/Math/MathML> > > <xsl:apply-templates select="@*|node()" mode="math"/> > > </xsl:element> > > </xsl:template> > > > > Might this need to be defended, maybe by emitting a prefix on every > element name it makes? > > > > <xsl:template match="*" mode="math"> > > <xsl:element name="mml:{local-name()}" namespace= > http://www.w3.org/1998/Math/MathML> > > <xsl:apply-templates select="@*|node()" mode="math"/> > > </xsl:element> > > </xsl:template> > > > > Otherwise, at least as reported in the post cited above, an OpenOffice > document, when previewed in certain execution contexts, can act much like a > Word document with embedded malware. > > > > Comments? > > > > Regards, Wendell > > > XSL-List info and archive <http://www.mulberrytech.com/xsl/xsl-list> > EasyUnsubscribe <http://lists.mulberrytech.com/unsub/xsl-list/2739265> (by > email <>)
Current Thread |
---|
|
<- Previous | Index | Next -> |
---|---|---|
Re: [xsl] HTML5 semantics and XSLT, Norm Tovey-Walsh ndw | Thread | Re: [xsl] HTML5 semantics and XSLT, David Carlisle d.p.c |
Re: [xsl] HTML5 semantics and XSLT, Norm Tovey-Walsh ndw | Date | Re: [xsl] HTML5 semantics and XSLT, David Carlisle d.p.c |
Month |