Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Suggestion: Warn about MathML Elements #8

Closed
freddyb opened this issue Mar 1, 2014 · 4 comments
Closed

Suggestion: Warn about MathML Elements #8

freddyb opened this issue Mar 1, 2014 · 4 comments

Comments

@freddyb
Copy link
Contributor

freddyb commented Mar 1, 2014

The maction, semantics elements can lead to script execution.
I'd prefer if the note for configuration mentions that they should be avoided
@cure53
Copy link
Owner

cure53 commented Mar 1, 2014

What risks do you see aside from JavaScript URIs? Yes, there's status bar spoofing and other tricks - but how to execute script?

@mozfreddyb
Copy link
Contributor

Mh, mostly xlink:href...so that'll be covered with the attributes filter anyway, I assume?
Though I'm unsure about how DOMPurify (the DOM Parser) handles namespaces.

@fhemberger
Copy link
Contributor

Removal of xlink:href is already in place.

@cure53
Copy link
Owner

cure53 commented Mar 2, 2014

Although I am tempted to lift that restriction. Why not allow xlink:href? Even @InsertScript's SVG XSS should be mitigated in case DOMPurify is present.

@cure53 cure53 closed this as completed in 5a26ea1 Mar 8, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@freddyb @fhemberger @mozfreddyb @cure53