xsl-list
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [xsl] HTML5 semantics and XSLT

2022-02-23 11:00:41
from [David Carlisle d(_dot_)p(_dot_)carlisle(_at_)gmail(_dot_)com] [Permanent Link] 
On Wed, 23 Feb 2022 at 16:30, Piez, Wendell A. (Fed) 
wendell(_dot_)piez(_at_)nist(_dot_)gov <
xsl-list-service(_at_)lists(_dot_)mulberrytech(_dot_)com> wrote:


Friends,



Starting from an interesting post at
https://blog.sonarsource.com/horde-webmail-account-takeover-via-email
(brought to my attention by a colleague) …



Amazingly, it appears to be true that opened in a current web browser, a
document like the following will proceed to execute the script it contains.



<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml";>
    <head>
        <title>Boo?</title>
    </head>
    <body>
        

    </body>
</html>




Isn't this expected? if you parse as html then the xmlns attribute is
ignored so that's just a normal html element with a standard JavaScript
script.
If you serve it at text/xml and parse as xhtml then things would b
different.

David







NB: yes, that supposed MathML is bogus. FWIW this is also different from
the code snippet in the post, which isn't actually realistic. But it
documents a real phenomenon.



The reason I remark on this is that (as noted in the post) it implies that
any template such as this (copied from a widely distributed library), when
targeting HTML, might be problematic on some uncontrolled inputs:



<xsl:template match="*" mode="math">

   <xsl:element name="{local-name()}" namespace=
http://www.w3.org/1998/Math/MathML>

       <xsl:apply-templates select="@*|node()" mode="math"/>

   </xsl:element>

</xsl:template>



Might this need to be defended, maybe by emitting a prefix on every
element name it makes?



<xsl:template match="*" mode="math">

   <xsl:element name="mml:{local-name()}" namespace=
http://www.w3.org/1998/Math/MathML>

       <xsl:apply-templates select="@*|node()" mode="math"/>

   </xsl:element>

</xsl:template>



Otherwise, at least as reported in the post cited above, an OpenOffice
document, when previewed in certain execution contexts, can act much like a
Word document with embedded malware.



Comments?



Regards, Wendell


XSL-List info and archive <http://www.mulberrytech.com/xsl/xsl-list>
EasyUnsubscribe <http://lists.mulberrytech.com/unsub/xsl-list/2739265> (by
email <>)


--~----------------------------------------------------------------
XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list
EasyUnsubscribe: http://lists.mulberrytech.com/unsub/xsl-list/1167547
or by email: xsl-list-unsub(_at_)lists(_dot_)mulberrytech(_dot_)com
--~--
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [xsl] HTML5 semantics and XSLT, Norm Tovey-Walsh ndw(_at_)nwalsh(_dot_)com
Next by Date:  Re: [xsl] HTML5 semantics and XSLT, David Carlisle d(_dot_)p(_dot_)carlisle(_at_)gmail(_dot_)com
Previous by Thread:  Re: [xsl] HTML5 semantics and XSLT, Norm Tovey-Walsh ndw(_at_)nwalsh(_dot_)com
Next by Thread:  Re: [xsl] HTML5 semantics and XSLT, David Carlisle d(_dot_)p(_dot_)carlisle(_at_)gmail(_dot_)com
Indexes:  [Date] [Thread] [Top] [All Lists]