Url sanitization bypass in ui/safe - Githubissues

mathjax / MathJax

Beautiful and accessible math in all browsers

http://www.mathjax.org/

Apache License 2.0

10.2k stars 1.16k forks source link

Url sanitization bypass in ui/safe #2885

Open sgoedecke opened 2 years ago

sgoedecke commented 2 years ago

Issue Summary

With ui/safe enabled, it's still possible to render javascript: protocol links by including \n or \r characters in the protocol.

Steps to Reproduce:

Go to this codepen: https://codepen.io/sgoedecke/pen/KKQJyPw

Rendering this notebook with the ui/safe extension will create a link that when clicked executes that JS alert(1) code. Explicitly adding

    safeOptions: {
      allow: { URLs: 'safe' },
      safeProtocols: { http: 'true', https: 'true', javascript: 'false' }
    }

doesn't fix the problem.

Technical details:

MathJax Version: 3 (but as far as I can tell this problem applies to 2.x also)
Client OS: Mac OS X 11.6
Browser: Chrome 101.0.4951.54

I am using the following MathJax configuration:

window.MathJax = {
  loader: {
    load: ['ui/safe']
  }
  };

and loading MathJax via <script src="https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js"></script>

Supporting information:

Please supply a link to a (live) minimal example page, when possible: https://codepen.io/sgoedecke/pen/KKQJyPw
If your issue is with the display of the mathematics produced by MathJax, include a screen snapshot that illustrates the problem, when possible.
Check your browser console window for any error messages, and include them here.
Include the MathJax configuration you are using, and the script tag that loads MathJax itself.

sgoedecke commented 2 years ago

I've submitted a PR with a fix here: https://github.com/mathjax/MathJax-src/pull/829. If you agree with this fix, I'd like to also port it to the legacy-v2-develop branch.