Since foreignObject is not allowed, the only places you can use HTML or MathML would be title or desc (at least in a text/html context). Since both of those are invisible, it doesn't seem compelling to allow usage of HTML or MathML elements at all?
Allowing HTML tag names makes it easier to find bypasses, especially when the output is used inline in text/html.
Sounds reasonable to me to drop all Other-ML elements due to foreignObject being not allowed.
Besides that, there probably should be more unit test cases for exactly these kind of scenarios.
Since
foreignObject
is not allowed, the only places you can use HTML or MathML would betitle
ordesc
(at least in a text/html context). Since both of those are invisible, it doesn't seem compelling to allow usage of HTML or MathML elements at all?Allowing HTML tag names makes it easier to find bypasses, especially when the output is used inline in text/html.