Why are annotation and semantics MathML tags forbidden?

[edemaine]

This issue proposes a feature, to move the <annotation> and <semantics> MathML tags from the forbidden to allowed list.

Background & Context

KaTeX generates MathML with <annotation> and <semantics> tags, which include the original LaTeX source code.

Is there a security risk I'm missing in semantics and annotation?

Desired behavior

Input

Example generated by KaTeX on input x:

<span class="katex"><span class="katex-mathml"><math xmlns="http://www.w3.org/1998/Math/MathML" display="block"><semantics><mrow><mi>x</mi></mrow><annotation encoding="application/x-tex">x</annotation></semantics></math></span><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height: 0.4306em;"></span><span class="mord mathnormal">x</span></span></span></span>

Given output

<span class="katex"><span class="katex-mathml"><math display="block" xmlns="http://www.w3.org/1998/Math/MathML"><mrow><mi>x</mi></mrow>x</math></span><span aria-hidden="true" class="katex-html"><span class="base"><span style="height: 0.4306em;" class="strut"></span><span class="mord mathnormal">x</span></span></span></span>

Expected output

Same as input.

[is2ei]

@edemaine

It seems the reason is partly explained in the code below.

https://github.com/cure53/DOMPurify/blob/main/src/tags.js#L197-L260

// List of SVG elements that are disallowed by default.
// We still need to know them so that we can do namespace
// checks properly in case one wants to add them to
// allow-list.
...
// Similarly to SVG, we want to know all MathML elements,
// even those that we disallow by default.
export const mathMlDisallowed = freeze([
  'maction',
  'maligngroup',
  'malignmark',
  'mlongdiv',
  'mscarries',
  'mscarry',
  'msgroup',
  'mstack',
  'msline',
  'msrow',
  'semantics',
  'annotation',
  'annotation-xml',
  'mprescripts',
  'none',
]);

[cure53]

They cause mXSS and hence need to be handled with great care. See here https://github.com/cure53/DOMPurify/blob/main/test/fixtures/expect.js#L1094

You can of course allow those tags via config if this is not a risk for you, but by default, we have to prohibit them, sadly.

[edemaine]

Thank you for the explanation! Definitely makes sense not to allow them in general then. This may not be the right forum, but I'd like to know more about the vector, in order to protect my site but allow the form generated by KaTeX.

1. Do you know whether the same exploit is possible with <annotation> as opposed to <annotation-xml>?
2. Perhaps it's safe to allow <annotation encoding="application/x-tex">, i.e., for me to check/force the encoding attribute? MDN says only certain encodings are rendered, and this is not among them, so I'm hoping it's safe in this situation. (Perhaps any encoding that's not text/html or maybe image/svg+xml is safe.)

[cure53]

That is a good question and we'd probably have to try it out and see what browsers do in that regard.

(Perhaps any encoding that's not text/html or maybe image/svg+xml is safe.)

My guess is that you are right here, but I frankly don't know for sure :)