Описание
MathLive's Lack of Escaping of HTML allows for XSS
Summary
Despite normal text rendering as LaTeX expressions, preventing XSS, the library also provides users with commands which may modify HTML, such as the \htmlData command, and the lack of escaping leads to XSS.
Details
Overall in the code, other than in the test folder, no functions escaping HTML can be seen.
PoC
- Go to https://cortexjs.io/mathlive/demo/
- Paste either
\htmlData{><img/onerror=alert(1)"src=}{}or\htmlData{x=" ><img/onerror=alert(1) src>}{}in the LaTeX textarea.
Impact
MathLive users who render untrusted mathematical expressions could encounter malicious input using \htmlData that runs arbitrary JavaScript, or generate invalid HTML.
Пакеты
mathlive
<= 0.103.0
0.104.0
Связанные уязвимости
Cross Site Scripting vulnerability in arnog MathLive Versions v0.103.0 and before (fixed in 0.104.0) allows an attacker to execute arbitrary code via the MathLive function.
Уязвимость редактора математических формул MathLive, связанная с непринятием мер по защите структуры веб-страницы, позволяющая нарушителю проводить межсайтовые сценарные атаки