- From: Bruce Miller <bruce.miller@nist.gov>
- Date: Fri, 4 Dec 2015 14:01:29 -0500
- To: <www-math@w3.org>
I can't answer the direct question: a security assessment would be a useful thing to be able to point to. But I have to ask: Why the provocative subject? Is someone claiming that MathML is dangerous? (even maction or annotations?) BTW: The background context of cgi & web services is a whole other can of worms completely independent of the safety of MathML itself. You could as well ask whether ASCII is really Dangerous. bruce On 12/04/2015 01:04 PM, Physikerwelt wrote: > Dear W3C Math WG, > > I wonder if there is a resilient security assessment for MathML. It > would be nice, if there was at least a subset of MathML, for which the > security was proven according to state-of-the-art of science and > technology. For example I could imagine that only presentation MathML > without a finite list of possible dangerous elements such as maction > or annotation could be the secure MathML subset. > > The background of my question is that the Wikimedia Foundation > considers opening the POST endpoint for converting several input > formats (i.e. TeX, AsciMathML, and MathML) to MathML + SVG (+ PNG) [1] > for the public[2]. > Currently this conversion endpoint it is only accessible from within > the Wikimedia Foundation cluster and only accepts texvc* input. > > Best > > Moritz Schubotz > > [1] https://en.wikipedia.org/api/rest_v1/?doc#!/Math/post_media_math_check_type > if you try this link you’ll get a “This client is not allowed to use > the endpoint” exception rather than the security checked texvc output > you receive in the unstable demo here > http://math.beta.wmflabs.org:7231/math.beta.wmflabs.org/v1/?doc#!/Math/post_media_math_check_type > > [2] https://phabricator.wikimedia.org/T116147 > > *) texvc is a well-defined subset of LaTeX with some custom macros. >
Received on Friday, 4 December 2015 19:02:11 UTC