W3C home > Mailing lists > Public > www-math@w3.org > December 2015

RE: Is MathML really Dangerous?

From: Paul Topping <pault@dessci.com>
Date: Fri, 4 Dec 2015 22:01:21 +0000
To: Deyan Ginev <d.ginev@jacobs-university.de>, "Schubotz, Moritz" <schubotz@tu-berlin.de>, "www-math@w3.org" <www-math@w3.org>
Message-ID: <B6C5B1ABA88AF446821B281774E6DB71B6F988D9@FERMAT.corp.dessci>
This reminds me that the Chrome team ripped out the MathML support code from their Blink engine when it was forked from WebKit over two years ago. If I recall correctly, they said it was for "security reasons" and that they didn't have resources that could ensure that the code didn't have security vulnerabilities.

Paul

> -----Original Message-----
> From: Deyan Ginev [mailto:d.ginev@jacobs-university.de]
> Sent: Friday, December 04, 2015 1:49 PM
> To: Schubotz, Moritz <schubotz@tu-berlin.de>; www-math@w3.org
> Subject: Re: Is MathML really Dangerous?
> 
> Dear all,
> 
> It's great to hear that there is interest in security for MathML. I
> would also be curious to hear if a "security audit" of any form has been
> performed on the spec, maybe as part of the integration work with the
> HTML5 working group.
> 
> Security audits are an inevitability when production-ready technologies
> start being used in enterprise settings, and given the scale and
> importance of the MediaWiki installations out there, it's reasonable
> that they would at least ask the question. In this scope, this is a
> question also suitable for the HTML5 community, and I see MathML is
> already featured on html5sec:
> 
> https://html5sec.org/?mathml
> 
> Does the Math WG know of prior interest in this subject?
> 
> Greetings,
> Deyan
> 
> 
> On 12/04/2015 03:26 PM, Schubotz, Moritz wrote:
> > Hi Bruce,
> >
> > I have the feeling to give a reasonable answer to the question "is ASCII
> > dangerous":
> > https://xkcd.com/327
> > At least in the context of SQL injections it has been well studied.
> > If you expose MathML to browsers that might not even know what
> MathML is,
> > they might freak out.
> >
> > Moritz
> >
> 
Received on Friday, 4 December 2015 22:01:51 UTC

This archive was generated by hypermail 2.3.1 : Friday, 4 December 2015 22:01:51 UTC