Headline

GHSA-qwj6-q94f-8425: MathLive's Lack of Escaping of HTML allows for XSS

Summary

Despite normal text rendering as LaTeX expressions, preventing XSS, the library also provides users with commands which may modify HTML, such as the \htmlData command, and the lack of escaping leads to XSS.

Details

Overall in the code, other than in the test folder, no functions escaping HTML can be seen.

PoC

Go to https://cortexjs.io/mathlive/demo/
Paste either \htmlData{><img/onerror=alert(1)"src=}{} or \htmlData{x=" ><img/onerror=alert(1) src>}{} in the LaTeX textarea.

Impact

MathLive users who render untrusted mathematical expressions could encounter malicious input using \htmlData that runs arbitrary JavaScript, or generate invalid HTML.

7 hours ago

ghsa

Open in Source

#xss #js #java

Summary

Despite normal text rendering as LaTeX expressions, preventing XSS, the library also provides users with commands which may modify HTML, such as the \htmlData command, and the lack of escaping leads to XSS.

Details

Overall in the code, other than in the test folder, no functions escaping HTML can be seen.

PoC

Go to https://cortexjs.io/mathlive/demo/
Paste either \htmlData{><img/onerror=alert(1)“src=}{} or \htmlData{x=” ><img/onerror=alert(1) src>}{} in the LaTeX textarea.

Impact

MathLive users who render untrusted mathematical expressions could encounter malicious input using \htmlData that runs arbitrary JavaScript, or generate invalid HTML.

References