Friends,
Starting from an interesting post at
https://blog.sonarsource.com/horde-webmail-account-takeover-via-email (brought
to my attention by a colleague) ...
Amazingly, it appears to be true that opened in a current web browser, a
document like the following will proceed to execute the script it contains.
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Boo?</title>
</head>
<body>
</body>
</html>
NB: yes, that supposed MathML is bogus. FWIW this is also different from the
code snippet in the post, which isn't actually realistic. But it documents a
real phenomenon.
The reason I remark on this is that (as noted in the post) it implies that any
template such as this (copied from a widely distributed library), when
targeting HTML, might be problematic on some uncontrolled inputs:
<xsl:template match="*" mode="math">
<xsl:element name="{local-name()}"
namespace=http://www.w3.org/1998/Math/MathML>
<xsl:apply-templates select="@*|node()" mode="math"/>
</xsl:element>
</xsl:template>
Might this need to be defended, maybe by emitting a prefix on every element
name it makes?
<xsl:template match="*" mode="math">
<xsl:element name="mml:{local-name()}"
namespace=http://www.w3.org/1998/Math/MathML>
<xsl:apply-templates select="@*|node()" mode="math"/>
</xsl:element>
</xsl:template>
Otherwise, at least as reported in the post cited above, an OpenOffice
document, when previewed in certain execution contexts, can act much like a
Word document with embedded malware.
Comments?
Regards, Wendell
--~----------------------------------------------------------------
XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list
EasyUnsubscribe: http://lists.mulberrytech.com/unsub/xsl-list/1167547
or by email: xsl-list-unsub(_at_)lists(_dot_)mulberrytech(_dot_)com
--~--