HTML5 semantics and XSLT

Friends,

Starting from an interesting post at
https://blog.sonarsource.com/horde-webmail-account-takeover-via-email (brought
to my attention by a colleague) ...

Amazingly, it appears to be true that opened in a current web browser, a
document like the following will proceed to execute the script it contains.

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <title>Boo?</title>
    </head>
    <body>

    </body>
</html>

NB: yes, that supposed MathML is bogus. FWIW this is also different from the
code snippet in the post, which isn't actually realistic. But it documents a
real phenomenon.

The reason I remark on this is that (as noted in the post) it implies that any
template such as this (copied from a widely distributed library), when
targeting HTML, might be problematic on some uncontrolled inputs:

<xsl:template match="*" mode="math">
   <xsl:element name="{local-name()}"
namespace=http://www.w3.org/1998/Math/MathML>
       <xsl:apply-templates select="@*|node()" mode="math"/>
   </xsl:element>
</xsl:template>

Might this need to be defended, maybe by emitting a prefix on every element
name it makes?

<xsl:template match="*" mode="math">
   <xsl:element name="mml:{local-name()}"
namespace=http://www.w3.org/1998/Math/MathML>
       <xsl:apply-templates select="@*|node()" mode="math"/>
   </xsl:element>
</xsl:template>

Otherwise, at least as reported in the post cited above, an OpenOffice
document, when previewed in certain execution contexts, can act much like a
Word document with embedded malware.

Comments?

Regards, Wendell