- From: Paul Topping <pault@dessci.com>
- Date: Fri, 4 Dec 2015 22:01:21 +0000
- To: Deyan Ginev <d.ginev@jacobs-university.de>, "Schubotz, Moritz" <schubotz@tu-berlin.de>, "www-math@w3.org" <www-math@w3.org>
This reminds me that the Chrome team ripped out the MathML support code from their Blink engine when it was forked from WebKit over two years ago. If I recall correctly, they said it was for "security reasons" and that they didn't have resources that could ensure that the code didn't have security vulnerabilities. Paul > -----Original Message----- > From: Deyan Ginev [mailto:d.ginev@jacobs-university.de] > Sent: Friday, December 04, 2015 1:49 PM > To: Schubotz, Moritz <schubotz@tu-berlin.de>; www-math@w3.org > Subject: Re: Is MathML really Dangerous? > > Dear all, > > It's great to hear that there is interest in security for MathML. I > would also be curious to hear if a "security audit" of any form has been > performed on the spec, maybe as part of the integration work with the > HTML5 working group. > > Security audits are an inevitability when production-ready technologies > start being used in enterprise settings, and given the scale and > importance of the MediaWiki installations out there, it's reasonable > that they would at least ask the question. In this scope, this is a > question also suitable for the HTML5 community, and I see MathML is > already featured on html5sec: > > https://html5sec.org/?mathml > > Does the Math WG know of prior interest in this subject? > > Greetings, > Deyan > > > On 12/04/2015 03:26 PM, Schubotz, Moritz wrote: > > Hi Bruce, > > > > I have the feeling to give a reasonable answer to the question "is ASCII > > dangerous": > > https://xkcd.com/327 > > At least in the context of SQL injections it has been well studied. > > If you expose MathML to browsers that might not even know what > MathML is, > > they might freak out. > > > > Moritz > > >
Received on Friday, 4 December 2015 22:01:51 UTC