- From: Hallvord Reiar Michaelsen Steen <hallvord@opera.com>
- Date: Tue, 16 Apr 2013 10:21:10 +0200
- To: public-webapps@w3.org, "Paul Topping" <pault@dessci.com>
> I suspect that the MathML community would be eager to help define > what needs to get stripped out of MathML to maintain security. > However, speaking for myself, I do not know what kinds of things > are considered dangerous. For example, MathML has markup that lets > a math expression act as a hyperlink. Do we need to strip that out > completely or is that dependent on the url? See the initial list of "bad stuff" in https://www.w3.org/Bugs/Public/show_bug.cgi?id=21700 Basically, the attack scenario is: trick a user into trying to copy something from an attacker's site to a rich text element on a target site. If this process can make some code execute inside the target site, the attack can succeed. (There is also some scope for doing malice with CSS and form elements, but probably much less.) -- Hallvord R. M. Steen Core tester, Opera Software
Received on Tuesday, 16 April 2013 08:22:30 UTC