Re: [xsl] HTML5 semantics and XSLT

Subject: Re: [xsl] HTML5 semantics and XSLT
From: "David Carlisle d.p.carlisle@xxxxxxxxx" <xsl-list-service@xxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 23 Feb 2022 17:10:56 -0000
On Wed, 23 Feb 2022 at 16:30, Piez, Wendell A. (Fed) wendell.piez@xxxxxxxx <
xsl-list-service@xxxxxxxxxxxxxxxxxxxxxx> wrote:

> Friends,
>
>
>
> Starting from an interesting post at
> https://blog.sonarsource.com/horde-webmail-account-takeover-via-email
> (brought to my attention by a colleague) b&
>
>
>
> Amazingly, it appears to be true that opened in a current web browser, a
> document like the following will proceed to execute the script it contains.
>
>
>
> <!DOCTYPE html>
> <html xmlns="http://www.w3.org/1999/xhtml";>
>     <head>
>         <title>Boo?</title>
>     </head>
>     <body>
>
>
>     </body>
> </html>
>
>
>
> NB: yes, that supposed MathML is bogus. FWIW this is also different from
> the code snippet in the post, which isn't actually realistic. But it
> documents a real phenomenon.
>
>
>
> The reason I remark on this is that (as noted in the post) it implies that
> any template such as this (copied from a widely distributed library), when
> targeting HTML, might be problematic on some uncontrolled inputs:
>
>
>
> <xsl:template match="*" mode="math">
>
>    <xsl:element name="{local-name()}" namespace=
> http://www.w3.org/1998/Math/MathML>
>
>        <xsl:apply-templates select="@*|node()" mode="math"/>
>
>    </xsl:element>
>
> </xsl:template>
>
>
>
> Might this need to be defended, maybe by emitting a prefix on every
> element name it makes?
>
>
>
> <xsl:template match="*" mode="math">
>
>    <xsl:element name="mml:{local-name()}" namespace=
> http://www.w3.org/1998/Math/MathML>
>
>        <xsl:apply-templates select="@*|node()" mode="math"/>
>
>    </xsl:element>
>
> </xsl:template>
>


prefixing every element is overkill for that particular issue, jut need to
make sure that you don't write an element with name script (in any case) or
if you do that it specifies a type that isn't a synonym for javascript.

The above is the same as

<!DOCTYPE html>
<html wibble="http://www.w3.org/2020/xhtml6";>
    <head>
        <title>Boo?</title>
    </head>
    <body>


    </body>
</html>


and executes the script, conversely this does not

<!DOCTYPE html>
<html>
    <head>
        <title>Boo?</title>
    </head>
    <body>


    </body>
</html>





>
>
> Otherwise, at least as reported in the post cited above, an OpenOffice
> document, when previewed in certain execution contexts, can act much like a
> Word document with embedded malware.
>
>
>
> Comments?
>
>
>
> Regards, Wendell
>
>
> XSL-List info and archive <http://www.mulberrytech.com/xsl/xsl-list>
> EasyUnsubscribe <http://lists.mulberrytech.com/unsub/xsl-list/2739265> (by
> email <>)

Current Thread