arnog / mathlive

A web component for easy math input
https://cortexjs.io/mathlive
MIT License
1.66k stars 295 forks source link

SECURITY(XSS): Request for Github Security Advisory #2580

Closed nsysean closed 2 weeks ago

nsysean commented 4 weeks ago

It'd be quite dangerous to disclose the vulnerability here, and thus I humbly request for a security advisory to be opened for safe, private discussion.

Thanks

arnog commented 4 weeks ago

You can now open a private security advisory in the project.

nsysean commented 4 weeks ago

I have opened a security advisory, thanks for the quick response!

brianlukoff commented 2 weeks ago

GitHub is now reporting the vulnerability with 0.104.0 as a fixed version, but the latest published version is 0.103.0. Is it possible to publish the fix?

arnog commented 2 weeks ago

A version including the fix will be published.

I was confused because I didn't know you were using MathLive (https://www.perusall.com/attributions doesn't mention it). Glad to see that apparently "[it]has become a heavily used feature in many Perusall STEM courses." (https://www.perusall.com/blog/new-features-march-2023)

brianlukoff commented 2 weeks ago

Thanks! We'd be happy to add MathLive to that page -- just let me know how you would like to be credited. MathLive is a great component and we're delighted to be able to use it.

nsysean commented 2 weeks ago

Hey @arnog upon reinspection I do want to remind you to that KaTeX does add the data- prefix to \htmlData, and the current fix allows for issues range from regular XSS to DOM clobbering.

By the way, please request for a CVE in the security advisory after you patch the vulnerability or optionally open a new security advisory if you prefer that.

Thanks

arnog commented 2 weeks ago

Thanks! We'd be happy to add MathLive to that page -- just let me know how you would like to be credited. MathLive is a great component and we're delighted to be able to use it.

Fantastic! Something like "Build with the Open Source MathLive math editor. Learn more at https://cortexjs.io" would be great.

brianlukoff commented 2 weeks ago

Thanks -- I've added it to our attributions page!