W3C home > Mailing lists > Public > www-math@w3.org > December 2015

Is MathML really Dangerous?

From: Physikerwelt <wiki@physikerwelt.de>
Date: Fri, 4 Dec 2015 19:04:57 +0100
Message-ID: <CA+fbXr3iz_5GKxtYgg5hFmkQ-2tW2m2hGQL3_gGhMJVNMiQT2Q@mail.gmail.com>
To: www-math@w3.org
Dear W3C Math WG,

I wonder if there is a resilient security assessment for MathML. It
would be nice, if there was at least a subset of MathML, for which the
security was proven according to state-of-the-art of science and
technology. For example I could imagine that only presentation MathML
without a finite list of possible dangerous elements such as maction
or annotation could be the secure MathML subset.

The background of my question is that the Wikimedia Foundation
considers opening the POST endpoint for converting several input
formats (i.e. TeX, AsciMathML, and MathML) to MathML + SVG (+ PNG) [1]
for the public[2].
Currently this conversion endpoint it is only accessible from within
the Wikimedia Foundation cluster and only accepts texvc* input.

Best

Moritz Schubotz

[1] https://en.wikipedia.org/api/rest_v1/?doc#!/Math/post_media_math_check_type
if you try this link you’ll get a “This client is not allowed to use
the endpoint” exception rather than the security checked texvc output
you receive in the unstable demo here
http://math.beta.wmflabs.org:7231/math.beta.wmflabs.org/v1/?doc#!/Math/post_media_math_check_type

[2] https://phabricator.wikimedia.org/T116147

*) texvc is a well-defined subset of LaTeX with some custom macros.
Received on Friday, 4 December 2015 18:05:26 UTC

This archive was generated by hypermail 2.3.1 : Friday, 4 December 2015 18:05:27 UTC