diff --git a/builtins/safe-default-configuration.json b/builtins/safe-default-configuration.json index 88f5b32..8f1da50 100644 --- a/builtins/safe-default-configuration.json +++ b/builtins/safe-default-configuration.json @@ -506,6 +506,248 @@ "namespace": null } ] + }, + { + "name": "math", + "namespace": "http://www.w3.org/1998/Math/MathML", + "attributes": [] + }, + { + "name": "merror", + "namespace": "http://www.w3.org/1998/Math/MathML", + "attributes": [] + }, + { + "name": "mfrac", + "namespace": "http://www.w3.org/1998/Math/MathML", + "attributes": [] + }, + { + "name": "mi", + "namespace": "http://www.w3.org/1998/Math/MathML", + "attributes": [] + }, + { + "name": "mmultiscripts", + "namespace": "http://www.w3.org/1998/Math/MathML", + "attributes": [] + }, + { + "name": "mn", + "namespace": "http://www.w3.org/1998/Math/MathML", + "attributes": [] + }, + { + "name": "mo", + "namespace": "http://www.w3.org/1998/Math/MathML", + "attributes": [ + { + "name": "form", + "namespace": null + }, + { + "name": "fence", + "namespace": null + }, + { + "name": "separator", + "namespace": null + }, + { + "name": "lspace", + "namespace": null + }, + { + "name": "rspace", + "namespace": null + }, + { + "name": "stretchy", + "namespace": null + }, + { + "name": "symmetric", + "namespace": null + }, + { + "name": "maxsize", + "namespace": null + }, + { + "name": "minsize", + "namespace": null + }, + { + "name": "largeop", + "namespace": null + }, + { + "name": "movablelimits", + "namespace": null + } + ] + }, + { + "name": "mover", + "namespace": "http://www.w3.org/1998/Math/MathML", + "attributes": [ + { + "name": "accent", + "namespace": null + } + ] + }, + { + "name": "mpadded", + "namespace": "http://www.w3.org/1998/Math/MathML", + "attributes": [ + { + "name": "width", + "namespace": null + }, + { + "name": "height", + "namespace": null + }, + { + "name": "depth", + "namespace": null + }, + { + "name": "lspace", + "namespace": null + }, + { + "name": "voffset", + "namespace": null + } + ] + }, + { + "name": "mphantom", + "namespace": "http://www.w3.org/1998/Math/MathML", + "attributes": [] + }, + { + "name": "mprescripts", + "namespace": "http://www.w3.org/1998/Math/MathML", + "attributes": [] + }, + { + "name": "mroot", + "namespace": "http://www.w3.org/1998/Math/MathML", + "attributes": [] + }, + { + "name": "mrow", + "namespace": "http://www.w3.org/1998/Math/MathML", + "attributes": [] + }, + { + "name": "ms", + "namespace": "http://www.w3.org/1998/Math/MathML", + "attributes": [] + }, + { + "name": "mspace", + "namespace": "http://www.w3.org/1998/Math/MathML", + "attributes": [ + { + "name": "width", + "namespace": null + }, + { + "name": "height", + "namespace": null + }, + { + "name": "depth", + "namespace": null + } + ] + }, + { + "name": "msqrt", + "namespace": "http://www.w3.org/1998/Math/MathML", + "attributes": [] + }, + { + "name": "mstyle", + "namespace": "http://www.w3.org/1998/Math/MathML", + "attributes": [] + }, + { + "name": "msub", + "namespace": "http://www.w3.org/1998/Math/MathML", + "attributes": [] + }, + { + "name": "msubsup", + "namespace": "http://www.w3.org/1998/Math/MathML", + "attributes": [] + }, + { + "name": "msup", + "namespace": "http://www.w3.org/1998/Math/MathML", + "attributes": [] + }, + { + "name": "mtable", + "namespace": "http://www.w3.org/1998/Math/MathML", + "attributes": [] + }, + { + "name": "mtd", + "namespace": "http://www.w3.org/1998/Math/MathML", + "attributes": [ + { + "name": "columnspan", + "namespace": null + }, + { + "name": "rowspan", + "namespace": null + } + ] + }, + { + "name": "mtext", + "namespace": "http://www.w3.org/1998/Math/MathML", + "attributes": [] + }, + { + "name": "mtr", + "namespace": "http://www.w3.org/1998/Math/MathML", + "attributes": [] + }, + { + "name": "munder", + "namespace": "http://www.w3.org/1998/Math/MathML", + "attributes": [ + { + "name": "accentunder", + "namespace": null + } + ] + }, + { + "name": "munderover", + "namespace": "http://www.w3.org/1998/Math/MathML", + "attributes": [ + { + "name": "accent", + "namespace": null + }, + { + "name": "accentunder", + "namespace": null + } + ] + }, + { + "name": "semantics", + "namespace": "http://www.w3.org/1998/Math/MathML", + "attributes": [] } ], "attributes": [ @@ -520,6 +762,30 @@ { "name": "title", "namespace": null + }, + { + "name": "dir", + "namespace": null + }, + { + "name": "displaystyle", + "namespace": null + }, + { + "name": "mathbackground", + "namespace": null + }, + { + "name": "mathcolor", + "namespace": null + }, + { + "name": "mathsize", + "namespace": null + }, + { + "name": "scriptlevel", + "namespace": null } ] } \ No newline at end of file diff --git a/builtins/safe-default-configuration.py b/builtins/safe-default-configuration.py index 61996fd..5d7c7f2 100644 --- a/builtins/safe-default-configuration.py +++ b/builtins/safe-default-configuration.py @@ -24,11 +24,17 @@ def main(): pass elif line.startswith("- "): current.append({ "name": line[2:], "namespace": None }) - elif line == "[HTML Global]": + elif line.startswith("[") and line.endswith("Global]"): current = result["attributes"] else: - elem = { "name": line, "namespace": "http://www.w3.org/1999/xhtml", - "attributes": [] } + if line.startswith("math "): + elem = {"name": line[5:], + "namespace": "http://www.w3.org/1998/Math/MathML"} + elif line.startswith("svg "): + elem = {"name": line[4:], "namespace": "http://www.w3.org/2000/svg"} + else: + elem = {"name": line, "namespace": "http://www.w3.org/1999/xhtml"} + elem["attributes"] = [] result["elements"].append(elem) current = elem["attributes"] diff --git a/builtins/safe-default-configuration.txt b/builtins/safe-default-configuration.txt index 7c8850b..348aa2f 100644 --- a/builtins/safe-default-configuration.txt +++ b/builtins/safe-default-configuration.txt @@ -158,7 +158,6 @@ th // Purposely omitted. // SVG: TBD -// MathML: TDB // HTML global attributes // @@ -169,3 +168,78 @@ th - lang - title +// MathML +// https://w3c.github.io/mathml-core/#mathml-elements-and-attributes +// +// See also: https://w3c.github.io/mathml-docs/mathml-safe-list + +math math +math merror +math mfrac +math mi +math mmultiscripts +math mn +math mo +- form +- fence +- separator +- lspace +- rspace +- stretchy +- symmetric +- maxsize +- minsize +- largeop +- movablelimits +math mover +- accent +math mpadded +- width +- height +- depth +- lspace +- voffset +math mphantom +math mprescripts +math mroot +math mrow +math ms +math mspace +- width +- height +- depth +math msqrt +math mstyle +math msub +math msubsup +math msup +math mtable +math mtd +- columnspan +- rowspan +math mtext +math mtr +math munder +- accentunder +math munderover +- accent +- accentunder +math semantics + +// Purposely omitted: +// - math annotation +// - math annotation-xml +// - math maction + +// MathML global attributes +// https://w3c.github.io/mathml-core/#global-attributes +// +// Most are purposely omitted. +[MathML Global] +- dir +- displaystyle +- mathbackground +- mathcolor +- mathsize +- scriptlevel + diff --git a/index.bs b/index.bs index f9636d4..c7745e1 100644 --- a/index.bs +++ b/index.bs @@ -39,6 +39,11 @@ text: parse HTML from a string; type: dfn; url: https://html.spec.whatwg.org/#pa "href": "https://cure53.de/fp170.pdf", "title": "mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations", "publisher": "Ruhr-Universität Bochum" + }, + "SafeMathML": { + "href": "https://w3c.github.io/mathml-docs/mathml-safe-list", + "title": "MathML Safe List", + "publisher": "W3C Math Working Group" } } @@ -768,6 +773,8 @@ path: builtins/safe-default-configuration.json highlight: json +Note: Included [[MathML]] markup is based on [[SafeMathML]]. + The built-in safe baseline configuration is meant to block only script-content. It is as follows: