From: Paul Libbrecht <paul@hoplahup.net>

Date: Fri, 04 Dec 2015 23:04:56 +0100

Message-ID: <56620E08.3010302@hoplahup.net>

To: Physikerwelt <wiki@physikerwelt.de>

CC: www-math@w3.org

Date: Fri, 04 Dec 2015 23:04:56 +0100

Message-ID: <56620E08.3010302@hoplahup.net>

To: Physikerwelt <wiki@physikerwelt.de>

CC: www-math@w3.org

Moritz, Can an answer be read from the Media-Type registration's "Security Concerns": http://www.w3.org/TR/MathML3/appendixb.html >From there, one can probably read what can be removed to make MathML safe: - remove anything that includes external content (e.g. DTD things, styles, images, annotations), - do not compute with it (or remove MathML-Content), - remove foreign content (anything outside the MathML namespace and probably all annotations). This has been validated by readers of the ietf-media-type mailing-list, I believe. I'll note that the same requirement has been expressed for MathML to be considered by the ClipOps spec https://w3c.github.io/clipboard-apis/ which is still in draft. Are we not able to write a note that demonstrates such a security? Paul > Physikerwelt <mailto:wiki@physikerwelt.de> > 4 décembre 2015 19:04 > Dear W3C Math WG, > > I wonder if there is a resilient security assessment for MathML. It > would be nice, if there was at least a subset of MathML, for which the > security was proven according to state-of-the-art of science and > technology. For example I could imagine that only presentation MathML > without a finite list of possible dangerous elements such as maction > or annotation could be the secure MathML subset. > > The background of my question is that the Wikimedia Foundation > considers opening the POST endpoint for converting several input > formats (i.e. TeX, AsciMathML, and MathML) to MathML + SVG (+ PNG) [1] > for the public[2]. > Currently this conversion endpoint it is only accessible from within > the Wikimedia Foundation cluster and only accepts texvc* input. > > Best > > Moritz Schubotz > > [1] > https://en.wikipedia.org/api/rest_v1/?doc#!/Math/post_media_math_check_type > if you try this link you’ll get a “This client is not allowed to use > the endpoint” exception rather than the security checked texvc output > you receive in the unstable demo here > http://math.beta.wmflabs.org:7231/math.beta.wmflabs.org/v1/?doc#!/Math/post_media_math_check_type > > [2] https://phabricator.wikimedia.org/T116147 > > *) texvc is a well-defined subset of LaTeX with some custom macros. >Received on Friday, 4 December 2015 22:05:30 UTC

*
This archive was generated by hypermail 2.3.1
: Friday, 4 December 2015 22:05:30 UTC
*