[Webkit-unassigned] [Bug 124128] [regression] foreign content not displayed in MathML

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Nov 11 09:20:59 PST 2013


--- Comment #10 from Frédéric Wang <fred.wang at free.fr>  2013-11-11 09:19:40 PST ---
(In reply to comment #9)
> Mixing arbitrary markup with MathML was introducing a case where non-MathML nodes were being interpreted as MathML. This could pose a security risk.
> Based on the language in http://www.w3.org/TR/MathML/chapter6.html#world-int-combine-other, it seemed like allowing arbitrary markup inside MathML documents was not intended to work. Indeed, the MathML validator at W3C (http://validator.w3.org) rejects example with non-MathML markup inside the MathML document.
> For these reasons, I turned off the ability to host non-MathML inside a document as part of the security fix https://bugs.webkit.org/show_bug.cgi?id=121728

Chapter 6 mentions "Extending the schema in this way is easily achieved using the Relax NG schema described in Appendix A Parsing MathML, it may be as simple as including the MathML schema whilst overriding the content model of mtext:"

In particular, the HTML5 validator modifies the RelaxNG schema to allow foreign content in <mtext> elements. However, my testcase is not correct, I think only inline elements are allowed (I don't know the exact list). At least it will validate if you replace <p> by <span> in the test case.

Allowing foreign content is an important feature for native MathML (for example to allow features like in the Mozilla demos or http://www.youtube.com/watch?v=imIwtZ-mNcc or "SVG in equation" in http://golem.ph.utexas.edu/wiki/instiki/show/Sandbox)

Also, this is needed to implement the <semantics> element, otherwise we can not display alternate <annotation-xml> elements. 

Finally, there are a couple of unit tests that will fail or become incorrect if we are not able to use HTML in MathML.

mtext and annotation-xml are implemented in Gecko and there is a similar feature in SVG with the foreignObject (which is implemented in WebKit), so I guess there is a way to allow that in a secured way? I suspect it should be handled on the HTML5 parser side, to do the correct namespace mapping.

Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list