Is MathML dangerous?
Author:
Abstract
HTML5 forms the basis for modern web development and merges different standards. One of these standards is MathML. It is used to express and display mathematical statements. However, with more standards being natively integrated into HTML5 the processing model gets inherently more complex.
In this paper, we evaluate the security risks of MathML. We created a semi-automatic test suite and studied the JavaScript code execution and the XML processing in MathML. We added also the Content-Type handling of major browsers to the picture. We discovered a novel way to manipulate the browser’s status line without JavaScript and found two novel ways to execute JavaScript code, which allowed us to bypass several sanitizers. The fact, that JavaScript code embedded in MathML can access session cookies worsens matters even more.
- Citation
- BibTeX
Späth, C.,
(2018).
Is MathML dangerous?.
In:
Langweg, H., Meier, M., Witt, B. C. & Reinhardt, D.
(Hrsg.),
SICHERHEIT 2018.
Bonn:
Gesellschaft für Informatik e.V..
(S. 119-132).
DOI: 10.18420/sicherheit2018_09
@inproceedings{mci/Späth2018,
author = {Späth, Christopher},
title = {Is MathML dangerous?},
booktitle = {SICHERHEIT 2018},
year = {2018},
editor = {Langweg, Hanno AND Meier, Michael AND Witt, Bernhard C. AND Reinhardt, Delphine} ,
pages = { 119-132 } ,
doi = { 10.18420/sicherheit2018_09 },
publisher = {Gesellschaft für Informatik e.V.},
address = {Bonn}
}
author = {Späth, Christopher},
title = {Is MathML dangerous?},
booktitle = {SICHERHEIT 2018},
year = {2018},
editor = {Langweg, Hanno AND Meier, Michael AND Witt, Bernhard C. AND Reinhardt, Delphine} ,
pages = { 119-132 } ,
doi = { 10.18420/sicherheit2018_09 },
publisher = {Gesellschaft für Informatik e.V.},
address = {Bonn}
}
Dateien | Groesse | Format | Anzeige | |
---|---|---|---|---|
sicherheit2018-09.pdf | 260.3Kb | View/ |
Sollte hier kein Volltext (PDF) verlinkt sein, dann kann es sein, dass dieser aus verschiedenen Gruenden (z.B. Lizenzen oder Copyright) nur in einer anderen Digital Library verfuegbar ist. Versuchen Sie in diesem Fall einen Zugriff ueber die verlinkte DOI: 10.18420/sicherheit2018_09
Haben Sie fehlerhafte Angaben entdeckt? Sagen Sie uns Bescheid: Send Feedback
More Info
ISBN: 978-3-88579-675-6
ISSN: 1617-5468
xmlui.MetaDataDisplay.field.date: 2018
Language: (de)
Content Type: Text/Conference Paper