Summary
Despite normal text rendering as LaTeX expressions, preventing XSS, the library also provides users with commands which may modify HTML, such as the \htmlData command, and the lack of escaping leads to XSS.
Details
Overall in the code, other than in the test folder, no functions escaping HTML can be seen.
PoC
- Go to https://cortexjs.io/mathlive/demo/
- Paste either
\htmlData{><img/onerror=alert(1)"src=}{} or \htmlData{x=" ><img/onerror=alert(1) src>}{} in the LaTeX textarea.
Impact
MathLive users who render untrusted mathematical expressions could encounter malicious input using \htmlData that runs arbitrary JavaScript, or generate invalid HTML.
References
Summary
Despite normal text rendering as LaTeX expressions, preventing XSS, the library also provides users with commands which may modify HTML, such as the
\htmlDatacommand, and the lack of escaping leads to XSS.Details
Overall in the code, other than in the
testfolder, no functions escaping HTML can be seen.PoC
\htmlData{><img/onerror=alert(1)"src=}{}or\htmlData{x=" ><img/onerror=alert(1) src>}{}in the LaTeX textarea.Impact
MathLive users who render untrusted mathematical expressions could encounter malicious input using \htmlData that runs arbitrary JavaScript, or generate invalid HTML.
References