Subject: Re: [xsl] HTML5 semantics and XSLT From: "Piez, Wendell A. (Fed) wendell.piez@xxxxxxxx" <xsl-list-service@xxxxxxxxxxxxxxxxxxxxxx> Date: Wed, 23 Feb 2022 18:30:40 -0000 |
Hi, Mike Kay is right, this has nothing to do with the MathML namespace. Any namespace would do. (The MathML namespace just happened to turn up in the place where this purported exploit was described.) David and Norm are also right that this is not an XSLT bug or an XML bug: they are working as designed. Others are saying they can't even see the offending < s c r i p t xmlns = whathaveyou>(script)< / s c r I p t > that I typed into my email, which suggests scrubbing - not entirely surprising I suppose! It's a good thing the list doesn't take attachments, I guess, or my alert("Boo") might be fired off somewhere. Cheers, Wendell From: Michael Kay mike@xxxxxxxxxxxx <xsl-list-service@xxxxxxxxxxxxxxxxxxxxxx> Sent: Wednesday, February 23, 2022 11:48 AM To: xsl-list <xsl-list@xxxxxxxxxxxxxxxxxxxxxx> Subject: Re: [xsl] HTML5 semantics and XSLT I don't think I've understood the significance of the mathml namespace in all this. And presumably any harm that can be done using this exploit could equally be done by executing untrusted HTML in the browser directly? Michael Kay Saxonica On 23 Feb 2022, at 16:31, Piez, Wendell A. (Fed) wendell.piez@xxxxxxxx<mailto:wendell.piez@xxxxxxxx> <xsl-list-service@xxxxxxxxxxxxxxxxxxxxxx<mailto:xsl-list-service@xxxxxxxxxxxx rytech.com>> wrote: Friends, Starting from an interesting post at https://blog.sonarsource.com/horde-webmail-account-takeover-via-email<https:/ /gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fblog.sonarsource.c om%2Fhorde-webmail-account-takeover-via-email&data=04%7C01%7Cwendell.piez%40n ist.gov%7C4fb0caa1e98d4d84cb5808d9f6ec3b37%7C2ab5d82fd8fa4797a93e054655c61dec %7C1%7C0%7C637812316750696466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJ QIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=GCSrguxHP%2BqKgmR0el Men1jVYniB0v9Fn3RVJAI8F7s%3D&reserved=0> (brought to my attention by a colleague) ... Amazingly, it appears to be true that opened in a current web browser, a document like the following will proceed to execute the script it contains. <!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml<https://gcc02.safelinks.protection.outloo k.com/?url=http%3A%2F%2Fwww.w3.org%2F1999%2Fxhtml&data=04%7C01%7Cwendell.piez %40nist.gov%7C4fb0caa1e98d4d84cb5808d9f6ec3b37%7C2ab5d82fd8fa4797a93e054655c6 1dec%7C1%7C0%7C637812316750696466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDA iLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=AHMNKUdTdDXU5bc2 NBTTKZpCtNFCS2TENDmxm0CmLos%3D&reserved=0>"> <head> <title>Boo?</title> </head> <body> </body> </html> NB: yes, that supposed MathML is bogus. FWIW this is also different from the code snippet in the post, which isn't actually realistic. But it documents a real phenomenon. The reason I remark on this is that (as noted in the post) it implies that any template such as this (copied from a widely distributed library), when targeting HTML, might be problematic on some uncontrolled inputs: <xsl:template match="*" mode="math"> <xsl:element name="{local-name()}" namespace=http://www.w3.org/1998/Math/MathML<https://gcc02.safelinks.protecti on.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F1998%2FMath%2FMathML&data=04%7C 01%7Cwendell.piez%40nist.gov%7C4fb0caa1e98d4d84cb5808d9f6ec3b37%7C2ab5d82fd8f a4797a93e054655c61dec%7C1%7C0%7C637812316750696466%7CUnknown%7CTWFpbGZsb3d8ey JWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata =67vjn50nTWtT97eyUzIvzhoXtPuJfeenRxOh8qNnyIc%3D&reserved=0>> <xsl:apply-templates select="@*|node()" mode="math"/> </xsl:element> </xsl:template> Might this need to be defended, maybe by emitting a prefix on every element name it makes? <xsl:template match="*" mode="math"> <xsl:element name="mml:{local-name()}" namespace=http://www.w3.org/1998/Math/MathML<https://gcc02.safelinks.protecti on.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F1998%2FMath%2FMathML&data=04%7C 01%7Cwendell.piez%40nist.gov%7C4fb0caa1e98d4d84cb5808d9f6ec3b37%7C2ab5d82fd8f a4797a93e054655c61dec%7C1%7C0%7C637812316750696466%7CUnknown%7CTWFpbGZsb3d8ey JWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata =67vjn50nTWtT97eyUzIvzhoXtPuJfeenRxOh8qNnyIc%3D&reserved=0>> <xsl:apply-templates select="@*|node()" mode="math"/> </xsl:element> </xsl:template> Otherwise, at least as reported in the post cited above, an OpenOffice document, when previewed in certain execution contexts, can act much like a Word document with embedded malware. Comments? Regards, Wendell XSL-List info and archive<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww. mulberrytech.com%2Fxsl%2Fxsl-list&data=04%7C01%7Cwendell.piez%40nist.gov%7C4f b0caa1e98d4d84cb5808d9f6ec3b37%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C6 37812316750696466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzI iLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=L%2BPL9awsl7TSx%2B2kwBi0%2FzlaPX JyBGUG9UFnVH9zbaI%3D&reserved=0> EasyUnsubscribe<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2 F%2Flists.mulberrytech.com%2Funsub%2Fxsl-list%2F293509&data=04%7C01%7Cwendell .piez%40nist.gov%7C4fb0caa1e98d4d84cb5808d9f6ec3b37%7C2ab5d82fd8fa4797a93e054 655c61dec%7C1%7C0%7C637812316750696466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLj AwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=G8Cb6vuT4kG QCEcmiam7IfZf6xtg4augi80ZpS0vJBI%3D&reserved=0> (by email) XSL-List info and archive<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww. mulberrytech.com%2Fxsl%2Fxsl-list&data=04%7C01%7Cwendell.piez%40nist.gov%7C4f b0caa1e98d4d84cb5808d9f6ec3b37%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C6 37812316750696466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzI iLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=L%2BPL9awsl7TSx%2B2kwBi0%2FzlaPX JyBGUG9UFnVH9zbaI%3D&reserved=0> EasyUnsubscribe<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2 F%2Flists.mulberrytech.com%2Funsub%2Fxsl-list%2F3302254&data=04%7C01%7Cwendel l.piez%40nist.gov%7C4fb0caa1e98d4d84cb5808d9f6ec3b37%7C2ab5d82fd8fa4797a93e05 4655c61dec%7C1%7C0%7C637812316750696466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=zTYUnnlVZm 7aSF8lyWN%2FiABB4luRGZbZgU2syrewUnE%3D&reserved=0> (by email<>)
Current Thread |
---|
|
<- Previous | Index | Next -> |
---|---|---|
Re: [xsl] HTML5 semantics and XSLT, Michael Kay mike@xxx | Thread | Re: [xsl] HTML5 semantics and XSLT, Piez, Wendell A. (Fe |
Re: [xsl] HTML5 semantics and XSLT, David Carlisle d.p.c | Date | Re: [xsl] HTML5 semantics and XSLT, Piez, Wendell A. (Fe |
Month |