W3C home > Mailing lists > Public > www-math@w3.org > December 2015

Re: Is MathML really Dangerous?

From: Bruce Miller <bruce.miller@nist.gov>
Date: Fri, 4 Dec 2015 14:01:29 -0500
To: <www-math@w3.org>
Message-ID: <5661E309.2000801@nist.gov>
I can't answer the direct question: a security assessment would
be a useful thing to be able to point to.

But I have to ask: Why the provocative subject?
Is someone claiming that MathML is dangerous?
(even maction or annotations?)

BTW: The background context of cgi & web services is a whole
other can of worms completely independent of the safety
of MathML itself.  You could as well ask whether ASCII
is really Dangerous.

bruce

On 12/04/2015 01:04 PM, Physikerwelt wrote:
> Dear W3C Math WG,
>
> I wonder if there is a resilient security assessment for MathML. It
> would be nice, if there was at least a subset of MathML, for which the
> security was proven according to state-of-the-art of science and
> technology. For example I could imagine that only presentation MathML
> without a finite list of possible dangerous elements such as maction
> or annotation could be the secure MathML subset.
>
> The background of my question is that the Wikimedia Foundation
> considers opening the POST endpoint for converting several input
> formats (i.e. TeX, AsciMathML, and MathML) to MathML + SVG (+ PNG) [1]
> for the public[2].
> Currently this conversion endpoint it is only accessible from within
> the Wikimedia Foundation cluster and only accepts texvc* input.
>
> Best
>
> Moritz Schubotz
>
> [1] https://en.wikipedia.org/api/rest_v1/?doc#!/Math/post_media_math_check_type
> if you try this link you’ll get a “This client is not allowed to use
> the endpoint” exception rather than the security checked texvc output
> you receive in the unstable demo here
> http://math.beta.wmflabs.org:7231/math.beta.wmflabs.org/v1/?doc#!/Math/post_media_math_check_type
>
> [2] https://phabricator.wikimedia.org/T116147
>
> *) texvc is a well-defined subset of LaTeX with some custom macros.
>
Received on Friday, 4 December 2015 19:02:11 UTC

This archive was generated by hypermail 2.3.1 : Friday, 4 December 2015 19:02:11 UTC