mathjax
Url sanitization bypass in ui/safe
Issue Summary
With ui/safe enabled, it's still possible to render javascript: protocol links by including \n or \r characters in the protocol.
Steps to Reproduce:
Go to this codepen: https://codepen.io/sgoedecke/pen/KKQJyPw
Rendering this notebook with the ui/safe extension will create a link that when clicked executes that JS alert(1) code. Explicitly adding
safeOptions: {
allow: { URLs: 'safe' },
safeProtocols: { http: 'true', https: 'true', javascript: 'false' }
}
doesn't fix the problem.
Technical details:
- MathJax Version: 3 (but as far as I can tell this problem applies to 2.x also)
- Client OS: Mac OS X 11.6
- Browser: Chrome 101.0.4951.54
I am using the following MathJax configuration:
window.MathJax = {
loader: {
load: ['ui/safe']
}
};
and loading MathJax via <script src="https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js"></script>
Supporting information:
- Please supply a link to a (live) minimal example page, when possible: https://codepen.io/sgoedecke/pen/KKQJyPw
- If your issue is with the display of the mathematics produced by MathJax, include a screen snapshot that illustrates the problem, when possible.
- Check your browser console window for any error messages, and include them here.
- Include the MathJax configuration you are using, and the script tag that loads MathJax itself.
I've submitted a PR with a fix here: https://github.com/mathjax/MathJax-src/pull/829. If you agree with this fix, I'd like to also port it to the legacy-v2-develop branch.