Closed nsysean closed 2 weeks ago
You can now open a private security advisory in the project.
I have opened a security advisory, thanks for the quick response!
GitHub is now reporting the vulnerability with 0.104.0 as a fixed version, but the latest published version is 0.103.0. Is it possible to publish the fix?
A version including the fix will be published.
I was confused because I didn't know you were using MathLive (https://www.perusall.com/attributions doesn't mention it). Glad to see that apparently "[it]has become a heavily used feature in many Perusall STEM courses." (https://www.perusall.com/blog/new-features-march-2023)
Thanks! We'd be happy to add MathLive to that page -- just let me know how you would like to be credited. MathLive is a great component and we're delighted to be able to use it.
Hey @arnog upon reinspection I do want to remind you to that KaTeX does add the data-
prefix to \htmlData
, and the current fix allows for issues range from regular XSS to DOM clobbering.
By the way, please request for a CVE in the security advisory after you patch the vulnerability or optionally open a new security advisory if you prefer that.
Thanks
Thanks! We'd be happy to add MathLive to that page -- just let me know how you would like to be credited. MathLive is a great component and we're delighted to be able to use it.
Fantastic! Something like "Build with the Open Source MathLive math editor. Learn more at https://cortexjs.io" would be great.
Thanks -- I've added it to our attributions page!
It'd be quite dangerous to disclose the vulnerability here, and thus I humbly request for a security advisory to be opened for safe, private discussion.
Thanks