Re: [xsl] HTML5 semantics and XSLT

Hi,

Mike Kay is right, this has nothing to do with the MathML namespace. Any 
namespace would do. (The MathML namespace just happened to turn up in the place 
where this purported exploit was described.) David and Norm are also right that 
this is not an XSLT bug or an XML bug: they are working as designed.

Others are saying they can't even see the offending < s c r i p t xmlns = 
whathaveyou>(script)< / s c r I p t > that I typed into my email, which 
suggests scrubbing - not entirely surprising I suppose! It's a good thing the 
list doesn't take attachments, I guess, or my alert("Boo") might be fired off 
somewhere.

Cheers, Wendell

From: Michael Kay mike(_at_)saxonica(_dot_)com 
<xsl-list-service(_at_)lists(_dot_)mulberrytech(_dot_)com>
Sent: Wednesday, February 23, 2022 11:48 AM
To: xsl-list <xsl-list(_at_)lists(_dot_)mulberrytech(_dot_)com>
Subject: Re: [xsl] HTML5 semantics and XSLT

I don't think I've understood the significance of the mathml namespace in all 
this.

And presumably any harm that can be done using this exploit could equally be 
done by executing untrusted HTML in the browser directly?

Michael Kay
Saxonica


On 23 Feb 2022, at 16:31, Piez, Wendell A. (Fed) 
wendell(_dot_)piez(_at_)nist(_dot_)gov<mailto:wendell(_dot_)piez(_at_)nist(_dot_)gov>
 
<xsl-list-service(_at_)lists(_dot_)mulberrytech(_dot_)com<mailto:xsl-list-service(_at_)lists(_dot_)mulberrytech(_dot_)com>>
 wrote:

Friends,

Starting from an interesting post at 
https://blog.sonarsource.com/horde-webmail-account-takeover-via-email<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fblog.sonarsource.com%2Fhorde-webmail-account-takeover-via-email&data=04%7C01%7Cwendell.piez%40nist.gov%7C4fb0caa1e98d4d84cb5808d9f6ec3b37%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637812316750696466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=GCSrguxHP%2BqKgmR0elMen1jVYniB0v9Fn3RVJAI8F7s%3D&reserved=0>
 (brought to my attention by a colleague) ...

Amazingly, it appears to be true that opened in a current web browser, a 
document like the following will proceed to execute the script it contains.

<!DOCTYPE html>
<html 
xmlns="http://www.w3.org/1999/xhtml<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F1999%2Fxhtml&data=04%7C01%7Cwendell.piez%40nist.gov%7C4fb0caa1e98d4d84cb5808d9f6ec3b37%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637812316750696466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=AHMNKUdTdDXU5bc2NBTTKZpCtNFCS2TENDmxm0CmLos%3D&reserved=0>">
    <head>
        <title>Boo?</title>
    </head>
    <body>
        
    </body>
</html>

NB: yes, that supposed MathML is bogus. FWIW this is also different from the 
code snippet in the post, which isn't actually realistic. But it documents a 
real phenomenon.

The reason I remark on this is that (as noted in the post) it implies that any 
template such as this (copied from a widely distributed library), when 
targeting HTML, might be problematic on some uncontrolled inputs:

<xsl:template match="*" mode="math">
   <xsl:element name="{local-name()}" 
namespace=http://www.w3.org/1998/Math/MathML<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F1998%2FMath%2FMathML&data=04%7C01%7Cwendell.piez%40nist.gov%7C4fb0caa1e98d4d84cb5808d9f6ec3b37%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637812316750696466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=67vjn50nTWtT97eyUzIvzhoXtPuJfeenRxOh8qNnyIc%3D&reserved=0>>
       <xsl:apply-templates select="@*|node()" mode="math"/>
   </xsl:element>
</xsl:template>

Might this need to be defended, maybe by emitting a prefix on every element 
name it makes?

<xsl:template match="*" mode="math">
   <xsl:element name="mml:{local-name()}" 
namespace=http://www.w3.org/1998/Math/MathML<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F1998%2FMath%2FMathML&data=04%7C01%7Cwendell.piez%40nist.gov%7C4fb0caa1e98d4d84cb5808d9f6ec3b37%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637812316750696466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=67vjn50nTWtT97eyUzIvzhoXtPuJfeenRxOh8qNnyIc%3D&reserved=0>>
       <xsl:apply-templates select="@*|node()" mode="math"/>
   </xsl:element>
</xsl:template>

Otherwise, at least as reported in the post cited above, an OpenOffice 
document, when previewed in certain execution contexts, can act much like a 
Word document with embedded malware.

Comments?

Regards, Wendell

XSL-List info and 
archive<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.mulberrytech.com%2Fxsl%2Fxsl-list&data=04%7C01%7Cwendell.piez%40nist.gov%7C4fb0caa1e98d4d84cb5808d9f6ec3b37%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637812316750696466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=L%2BPL9awsl7TSx%2B2kwBi0%2FzlaPXJyBGUG9UFnVH9zbaI%3D&reserved=0>
EasyUnsubscribe<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.mulberrytech.com%2Funsub%2Fxsl-list%2F293509&data=04%7C01%7Cwendell.piez%40nist.gov%7C4fb0caa1e98d4d84cb5808d9f6ec3b37%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637812316750696466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=G8Cb6vuT4kGQCEcmiam7IfZf6xtg4augi80ZpS0vJBI%3D&reserved=0>
 (by email)

XSL-List info and 
archive<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.mulberrytech.com%2Fxsl%2Fxsl-list&data=04%7C01%7Cwendell.piez%40nist.gov%7C4fb0caa1e98d4d84cb5808d9f6ec3b37%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637812316750696466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=L%2BPL9awsl7TSx%2B2kwBi0%2FzlaPXJyBGUG9UFnVH9zbaI%3D&reserved=0>
EasyUnsubscribe<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.mulberrytech.com%2Funsub%2Fxsl-list%2F3302254&data=04%7C01%7Cwendell.piez%40nist.gov%7C4fb0caa1e98d4d84cb5808d9f6ec3b37%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637812316750696466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=zTYUnnlVZm7aSF8lyWN%2FiABB4luRGZbZgU2syrewUnE%3D&reserved=0>
 (by email<>)
--~----------------------------------------------------------------
XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list
EasyUnsubscribe: http://lists.mulberrytech.com/unsub/xsl-list/1167547
or by email: xsl-list-unsub(_at_)lists(_dot_)mulberrytech(_dot_)com
--~--

<Prev in Thread]	Current Thread	[Next in Thread>
[xsl] HTML5 semantics and XSLT, Piez, Wendell A. (Fed) wendell(_dot_)piez(_at_)nist(_dot_)gov Re: [xsl] HTML5 semantics and XSLT, Michael Kay mike(_at_)saxonica(_dot_)com Re: [xsl] HTML5 semantics and XSLT, Piez, Wendell A. (Fed) wendell(_dot_)piez(_at_)nist(_dot_)gov <= Re: [xsl] HTML5 semantics and XSLT, Piez, Wendell A. (Fed) wendell(_dot_)piez(_at_)nist(_dot_)gov Re: [xsl] HTML5 semantics and XSLT, Liam R. E. Quin liam(_at_)fromoldbooks(_dot_)org Re: [xsl] HTML5 semantics and XSLT, Piez, Wendell A. (Fed) wendell(_dot_)piez(_at_)nist(_dot_)gov Re: [xsl] HTML5 semantics and XSLT, Piez, Wendell A. (Fed) wendell(_dot_)piez(_at_)nist(_dot_)gov Re: [xsl] HTML5 semantics and XSLT, Liam R. E. Quin liam(_at_)fromoldbooks(_dot_)org Re: [xsl] HTML5 semantics and XSLT, Norm Tovey-Walsh ndw(_at_)nwalsh(_dot_)com Re: [xsl] HTML5 semantics and XSLT, David Carlisle d(_dot_)p(_dot_)carlisle(_at_)gmail(_dot_)com Re: [xsl] HTML5 semantics and XSLT, David Carlisle d(_dot_)p(_dot_)carlisle(_at_)gmail(_dot_)com Re: [xsl] HTML5 semantics and XSLT, Piez, Wendell A. (Fed) wendell(_dot_)piez(_at_)nist(_dot_)gov