Re: RE: MathML and "Clipboard API and events"

> I suspect that the MathML community would be eager to help define
> what needs to get stripped out of MathML to maintain security.
> However, speaking for myself, I do not know what kinds of things
> are considered dangerous. For example, MathML has markup that lets
> a math expression act as a hyperlink. Do we need to strip that out
> completely or is that dependent on the url?

See the initial list of "bad stuff" in

Basically, the attack scenario is: trick a user into trying to copy something from an attacker's site to a rich text element on a target site. If this process can make some code execute inside the target site, the attack can succeed. 

(There is also some scope for doing malice with CSS and form elements, but probably much less.)

Hallvord R. M. Steen
Core tester, Opera Software

Received on Tuesday, 16 April 2013 08:22:30 UTC