Any scripts can be executed on client via math expressions

Issue #1 resolved
Jun Omae
created an issue

Anyone can attack via math expression using this:

$$ <script>alert(1)</script> $$

Or

{{{#!LaTex
<script>alert(1)</script>
}}}

The tainted input should be escaped:

diff -r 8eb69640e3a7 tracmathjax/tracmathjax.py
--- a/tracmathjax/tracmathjax.py        Wed Sep 03 07:58:34 2014 -0700
+++ b/tracmathjax/tracmathjax.py        Fri Jan 06 18:06:03 2017 +0900
@@ -1,7 +1,10 @@
+# -*- coding: utf-8 -*-
+
 from genshi.builder import tag
 from genshi.filters import Transformer

 from trac.core import Component, implements
+from trac.util.html import escape
 from trac.wiki.api import IWikiSyntaxProvider, IWikiMacroProvider
 from trac.web.api import ITemplateStreamFilter

@@ -61,8 +64,8 @@

     def expand_macro(self, formatter, name, content):
         if name.lower() == "latex":
-            return "<p>\\[\n%s\n\\]</p>" % content
+            return "<p>\\[\n%s\n\\]</p>" % escape(content)

     def _render_inline(self, formatter, ns, match):
         """Inline rendering function."""
-        return match.group("mathjax_inline")
+        return escape(match.group("mathjax_inline"))

Comments (3)

  1. Log in to comment