XML Editor - Download a Free Trial >
See What's New >
Buy Now >

[XSL-LIST Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

Re: HTML5 semantics and XSLT

Play the video
Subject: Re: HTML5 semantics and XSLT
From: "David Carlisle d.p.carlisle@xxxxxxxxx" <xsl-list-service@xxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 23 Feb 2022 17:00:36 -0000
Re: HTML5 semantics and XSLT
On Wed, 23 Feb 2022 at 16:30, Piez, Wendell A. (Fed) wendell.piez@xxxxxxxx <
xsl-list-service@xxxxxxxxxxxxxxxxxxxxxx> wrote:

> Friends,
>
>
>
> Starting from an interesting post at
> https://blog.sonarsource.com/horde-webmail-account-takeover-via-email
> (brought to my attention by a colleague) b&
>
>
>
> Amazingly, it appears to be true that opened in a current web browser, a
> document like the following will proceed to execute the script it contains.
>
>
>
> <!DOCTYPE html>
> <html xmlns="http://www.w3.org/1999/xhtml">
>     <head>
>         <title>Boo?</title>
>     </head>
>     <body>
>
>
>     </body>
> </html>
>


Isn't this expected? if you parse as html then the xmlns attribute is
ignored so that's just a normal html element with a standard JavaScript
script.
If you serve it at text/xml and parse as xhtml then things would b
different.

David




>
>
> NB: yes, that supposed MathML is bogus. FWIW this is also different from
> the code snippet in the post, which isn't actually realistic. But it
> documents a real phenomenon.
>
>
>
> The reason I remark on this is that (as noted in the post) it implies that
> any template such as this (copied from a widely distributed library), when
> targeting HTML, might be problematic on some uncontrolled inputs:
>
>
>
> <xsl:template match="*" mode="math">
>
>    <xsl:element name="{local-name()}" namespace=
> http://www.w3.org/1998/Math/MathML>
>
>        <xsl:apply-templates select="@*|node()" mode="math"/>
>
>    </xsl:element>
>
> </xsl:template>
>
>
>
> Might this need to be defended, maybe by emitting a prefix on every
> element name it makes?
>
>
>
> <xsl:template match="*" mode="math">
>
>    <xsl:element name="mml:{local-name()}" namespace=
> http://www.w3.org/1998/Math/MathML>
>
>        <xsl:apply-templates select="@*|node()" mode="math"/>
>
>    </xsl:element>
>
> </xsl:template>
>
>
>
> Otherwise, at least as reported in the post cited above, an OpenOffice
> document, when previewed in certain execution contexts, can act much like a
> Word document with embedded malware.
>
>
>
> Comments?
>
>
>
> Regards, Wendell
>
>
> XSL-List info and archive <http://www.mulberrytech.com/xsl/xsl-list>
> EasyUnsubscribe <http://lists.mulberrytech.com/unsub/xsl-list/2739265> (by
> email <>)
Current Thread
<- PreviousIndexNext ->
Re: HTML5 semantics and XSLT, Norm Tovey-Walsh ndw Thread Re: HTML5 semantics and XSLT, David Carlisle d.p.c
Re: HTML5 semantics and XSLT, Norm Tovey-Walsh ndw Date Re: HTML5 semantics and XSLT, David Carlisle d.p.c
Month

PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Buy Stylus Studio Now

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Don't miss another message! Subscribe to this list today.
Email
First Name
Last Name
Company
Subscribe in XML format
RSS 2.0
Atom 0.3
XML Editor - Download a 15 Day Free Trial Now >
See What's New in Stylus Studio >
Buy Stylus Studio - XML Editor - Now >
Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member
Stylus Studio® and DataDirect XQuery ™are products from DataDirect Technologies, is a registered trademark of Progress Software Corporation, in the U.S. and other countries. © 2004-2013 All Rights Reserved.