Open NSoiffer opened 4 years ago
Hello. I was looking for an appropriate issue to attach a recent piece of news I spotted, and since this issue discusses malignmark
, it seems appropriate. There is a recent post about bypassing the sanitization of DOMPurify through an abuse of parsing MathML in HTML, details here:
https://portswigger.net/daily-swig/dompurify-mutation-xss-bypass-achieved-through-mathml-namespace-confusion
Summarized as:
In the MathML namespace, two special elements – mglyph and malignmark – allow the creation of a markup that is “in HTML namespace, but on reparsing it is in MathML namespace, [meaning that] the subsequent style tag [is] parsed differently and leading to XSS,” the researcher explained.
This might be relevant if you're searching for additional reasons for deprecation.
Kind of weird that it is mglyph and malignmark and not maligngroup. I read the link and there was no hint as to why those two and not maligngroup or any other element with empty content.
On Fri, Oct 9, 2020 at 4:02 PM Deyan Ginev notifications@github.com wrote:
Hello. I was looking for an appropriate issue to attach a recent piece of news I spotted, and since this issue discusses malignmark, it seems appropriate. There is a recent post about bypassing the sanitization of DOMPurify through an abuse of parsing MathML in HTML, details here:
Summarized as:
In the MathML namespace, two special elements – mglyph and malignmark – allow the creation of a markup that is “in HTML namespace, but on reparsing it is in MathML namespace, [meaning that] the subsequent style tag [is] parsed differently and leading to XSS,” the researcher explained.
This might be relevant if you're searching for additional reasons for deprecation.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mathml-refresh/mathml/issues/181#issuecomment-706436798, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALZM3HME3RMGCKAY6HMDXTSJ6JBXANCNFSM4KCGBEGA .
On Thu, 15 Oct 2020 at 21:41, NSoiffer notifications@github.com wrote:
Kind of weird that it is mglyph and malignmark and not maligngroup. I read the link and there was no hint as to why those two and not maligngroup or any other element with empty content.
maligngroup is only used in mathml containers like mrow so is not a problem.
mglyph is allowed in token elements and in a mathml-in-html elements token
elements are the entry point for html so most elements inside an
On Fri, Oct 9, 2020 at 4:02 PM Deyan Ginev notifications@github.com wrote:
Hello. I was looking for an appropriate issue to attach a recent piece of news I spotted, and since this issue discusses malignmark, it seems appropriate. There is a recent post about bypassing the sanitization of DOMPurify through an abuse of parsing MathML in HTML, details here:
Summarized as:
In the MathML namespace, two special elements – mglyph and malignmark – allow the creation of a markup that is “in HTML namespace, but on reparsing it is in MathML namespace, [meaning that] the subsequent style tag [is] parsed differently and leading to XSS,” the researcher explained.
This might be relevant if you're searching for additional reasons for deprecation.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub < https://github.com/mathml-refresh/mathml/issues/181#issuecomment-706436798 , or unsubscribe < https://github.com/notifications/unsubscribe-auth/AALZM3HME3RMGCKAY6HMDXTSJ6JBXANCNFSM4KCGBEGA
.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/mathml-refresh/mathml/issues/181#issuecomment-709578549, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJVYAXNEM475TJ2U7M7XXDSK5M6FANCNFSM4KCGBEGA .
Thanks for the explanation -- that makes sense.
the schema has been updated to restrict use of malignmark, and to remove grouplaign attribute except in legacy schema
https://github.com/mathml-refresh/mathml-schema/commit/4e897dc8f3925d7e0dbaedcb06fa10417e2ee3c4
Having just implemented a polyfill for elementary math, that got me thinking about some related ideas:
mlongdiv
, butmstack
).There are a few complications such as decimal alignment of the coefficients:
Note that alignment requires knowing what characters/operators act as column separators (e.g.,
+
and-
, along with=
and a few other relational operators). These would be inside ofmo
elements, so potentially anymo
element could be a separator, or maybe an attribute specifies what the separators are (something to think about/discuss).The above example is taken from the MathML 3 spec for
maligngroup
andmalignmark
. I think only MathPlayer ever implemented those elements and I suspect that you can count on your fingers the number of times they have been used. It is a very complicated feature to implement and to use. In contrast, I think the above features are an incremental extension to elementary math layout, so implementation (especially via an extension to the polyfill I wrote), means that supporting these features would be universal (assuming I or someone else extended the polyfill). Just as important, using this extension would be simple as it is a declarative notation that doesn't require modifying the generated layout other than at a high level (wrapping withmstack
ormlongdiv
). It would be less powerful though.I suspect that this proposed extension to elementary math handles the large majority of cases where people play games with tables to achieve alignment, both in MathML and in TeX. @davidcarlisle: do you have any estimate of how many uses of table for alignment in TeX would be covered by this proposed extension? What are some of the cases that are missed by it?