Re: [xsl] HTML5 semantics and XSLT

["Piez, Wendell A. (Fed) wendell.piez@xxxxxxxx" <xsl-list-service@xxxxxxxxxxxxxxxxxxxxxx>]

Hi,

Mike Kay is right, this has nothing to do with the MathML namespace. Any
namespace would do. (The MathML namespace just happened to turn up in the
place where this purported exploit was described.) David and Norm are also
right that this is not an XSLT bug or an XML bug: they are working as
designed.

Others are saying they can't even see the offending < s c r i p t xmlns =
whathaveyou>(script)< / s c r I p t > that I typed into my email, which
suggests scrubbing - not entirely surprising I suppose! It's a good thing the
list doesn't take attachments, I guess, or my alert("Boo") might be fired off
somewhere.

Cheers, Wendell

From: Michael Kay mike@xxxxxxxxxxxx <xsl-list-service@xxxxxxxxxxxxxxxxxxxxxx>
Sent: Wednesday, February 23, 2022 11:48 AM
To: xsl-list <xsl-list@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [xsl] HTML5 semantics and XSLT

I don't think I've understood the significance of the mathml namespace in all
this.

And presumably any harm that can be done using this exploit could equally be
done by executing untrusted HTML in the browser directly?

Michael Kay
Saxonica


On 23 Feb 2022, at 16:31, Piez, Wendell A. (Fed)
wendell.piez@xxxxxxxx<mailto:wendell.piez@xxxxxxxx>
<xsl-list-service@xxxxxxxxxxxxxxxxxxxxxx<mailto:xsl-list-service@xxxxxxxxxxxx
rytech.com>> wrote:

Friends,

Starting from an interesting post at
https://blog.sonarsource.com/horde-webmail-account-takeover-via-email<https:/
/gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fblog.sonarsource.c
om%2Fhorde-webmail-account-takeover-via-email&data=04%7C01%7Cwendell.piez%40n
ist.gov%7C4fb0caa1e98d4d84cb5808d9f6ec3b37%7C2ab5d82fd8fa4797a93e054655c61dec
%7C1%7C0%7C637812316750696466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJ
QIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=GCSrguxHP%2BqKgmR0el
Men1jVYniB0v9Fn3RVJAI8F7s%3D&reserved=0> (brought to my attention by a
colleague) ...

Amazingly, it appears to be true that opened in a current web browser, a
document like the following will proceed to execute the script it contains.

<!DOCTYPE html>
<html
xmlns="http://www.w3.org/1999/xhtml<https://gcc02.safelinks.protection.outloo
k.com/?url=http%3A%2F%2Fwww.w3.org%2F1999%2Fxhtml&data=04%7C01%7Cwendell.piez
%40nist.gov%7C4fb0caa1e98d4d84cb5808d9f6ec3b37%7C2ab5d82fd8fa4797a93e054655c6
1dec%7C1%7C0%7C637812316750696466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDA
iLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=AHMNKUdTdDXU5bc2
NBTTKZpCtNFCS2TENDmxm0CmLos%3D&reserved=0>">
    <head>
        <title>Boo?</title>
    </head>
    <body>

    </body>
</html>

NB: yes, that supposed MathML is bogus. FWIW this is also different from the
code snippet in the post, which isn't actually realistic. But it documents a
real phenomenon.

The reason I remark on this is that (as noted in the post) it implies that any
template such as this (copied from a widely distributed library), when
targeting HTML, might be problematic on some uncontrolled inputs:

<xsl:template match="*" mode="math">
   <xsl:element name="{local-name()}"
namespace=http://www.w3.org/1998/Math/MathML<https://gcc02.safelinks.protecti
on.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F1998%2FMath%2FMathML&data=04%7C
01%7Cwendell.piez%40nist.gov%7C4fb0caa1e98d4d84cb5808d9f6ec3b37%7C2ab5d82fd8f
a4797a93e054655c61dec%7C1%7C0%7C637812316750696466%7CUnknown%7CTWFpbGZsb3d8ey
JWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata
=67vjn50nTWtT97eyUzIvzhoXtPuJfeenRxOh8qNnyIc%3D&reserved=0>>
       <xsl:apply-templates select="@*|node()" mode="math"/>
   </xsl:element>
</xsl:template>

Might this need to be defended, maybe by emitting a prefix on every element
name it makes?

<xsl:template match="*" mode="math">
   <xsl:element name="mml:{local-name()}"
namespace=http://www.w3.org/1998/Math/MathML<https://gcc02.safelinks.protecti
on.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F1998%2FMath%2FMathML&data=04%7C
01%7Cwendell.piez%40nist.gov%7C4fb0caa1e98d4d84cb5808d9f6ec3b37%7C2ab5d82fd8f
a4797a93e054655c61dec%7C1%7C0%7C637812316750696466%7CUnknown%7CTWFpbGZsb3d8ey
JWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata
=67vjn50nTWtT97eyUzIvzhoXtPuJfeenRxOh8qNnyIc%3D&reserved=0>>
       <xsl:apply-templates select="@*|node()" mode="math"/>
   </xsl:element>
</xsl:template>

Otherwise, at least as reported in the post cited above, an OpenOffice
document, when previewed in certain execution contexts, can act much like a
Word document with embedded malware.

Comments?

Regards, Wendell

XSL-List info and
archive<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.
mulberrytech.com%2Fxsl%2Fxsl-list&data=04%7C01%7Cwendell.piez%40nist.gov%7C4f
b0caa1e98d4d84cb5808d9f6ec3b37%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C6
37812316750696466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzI
iLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=L%2BPL9awsl7TSx%2B2kwBi0%2FzlaPX
JyBGUG9UFnVH9zbaI%3D&reserved=0>
EasyUnsubscribe<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2
F%2Flists.mulberrytech.com%2Funsub%2Fxsl-list%2F293509&data=04%7C01%7Cwendell
.piez%40nist.gov%7C4fb0caa1e98d4d84cb5808d9f6ec3b37%7C2ab5d82fd8fa4797a93e054
655c61dec%7C1%7C0%7C637812316750696466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLj
AwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=G8Cb6vuT4kG
QCEcmiam7IfZf6xtg4augi80ZpS0vJBI%3D&reserved=0> (by email)

XSL-List info and
archive<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.
mulberrytech.com%2Fxsl%2Fxsl-list&data=04%7C01%7Cwendell.piez%40nist.gov%7C4f
b0caa1e98d4d84cb5808d9f6ec3b37%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C6
37812316750696466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzI
iLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=L%2BPL9awsl7TSx%2B2kwBi0%2FzlaPX
JyBGUG9UFnVH9zbaI%3D&reserved=0>
EasyUnsubscribe<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2
F%2Flists.mulberrytech.com%2Funsub%2Fxsl-list%2F3302254&data=04%7C01%7Cwendel
l.piez%40nist.gov%7C4fb0caa1e98d4d84cb5808d9f6ec3b37%7C2ab5d82fd8fa4797a93e05
4655c61dec%7C1%7C0%7C637812316750696466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL
jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=zTYUnnlVZm
7aSF8lyWN%2FiABB4luRGZbZgU2syrewUnE%3D&reserved=0> (by email<>)