mathjax
Review security report
Is your feature request related to a problem? Please describe. No.
Describe the solution you'd like Make MathJax more secure.
Describe alternatives you've considered None.
Additional context The Wikimedia Foundation did a security review of the MathJax code. While MathJax is very secure, a few minor issues were pointed out. See https://phabricator.wikimedia.org/T354136 for the detailed report.
I suggest the MathJax teams looks into the report and closes this issue after reviewing the report.
Thanks for the report. I see the following at the bottom of the report:
[Scorecard](https://github.com/ossf/scorecard) score
5 / 10 low
(see raw output: P59004)
Static Analysis Findings
sast-scan returned no results.
semgrep with various rules: P59005
bearer with various rules: P59008
horusec returned these findings: P59010
snyk returned these two findings:
✗ [Medium] Cross-site Scripting (XSS)
Path: ts/components/latest.ts, line 247
Info: Unsanitized input from browser storage flows into a 'src' script element attribute, where it is used to dynamically construct the HTML page on client side. This may result in a DOM Based Cross-Site Scripting attack (DOMXSS).
✗ [Medium] Cross-site Scripting (XSS)
Path: ts/components/latest.ts, line 253
Info: Unsanitized input from browser storage flows into appendChild, where it is used to dynamically construct the HTML page on client side. This may result in a DOM Based Cross-Site Scripting attack (DOMXSS).
The two issues with latest.ts relate to a component that I think no one uses, and should probably be removed (the functionality is covered by the CDNs themselves theses days).
The other report seem to refer to codes like P59004, and such, but I can find no references that explain these. Can you tell me what these are? Are they references to sections of another document that is not linked in? If so, can you let us know what these sections say?
