Sanitizing input before MathJax calls

[pedimo...@gmail.com]

Hi!

I'm using AsciiMath with MathJax. My question is, how can I achieve a properly sanitization of a user input before making a call like this (see http://docs.mathjax.org/en/latest/typeset.html): MathJax.Hub.Queue(["Text",studentDisplay,studentAnswer]), for avoiding XSS injection?

The problem is MathJax do accept "lt" and "gt" for "<" and ">", but how to encode another special characters?

Thank you!

[Davide P. Cervone]

Because the Text method of an Element Jax creates a DOM text node (it doesn't use innerHTML), is contents aren't interpreted as HTML, so I don't think it can be used for XSS injection.  I am not aware of any mechanism in AsciiMath itself for doing this.  So I think this is safe.  If you have an example of how this can be used for XSS injection, please let us know.

Davide

--
You received this message because you are subscribed to the Google Groups "MathJax Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mathjax-user...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[pedimo...@gmail.com]

Ok it's good to know it...and what about the Typeset method?

[Davide P. Cervone]

As I said, I don't know of anything in AsciiMath that can be used to do XSS insertion, so typesetting AsciiMath should not be a problem.

Davide

[Davide P. Cervone]

PS, typesetting TeX or MathML could allow that, so that is why we introduced the Safe extension in v2.2.  See the documentation on that at

http://docs.mathjax.org/en/latest/safe-mode.html

for details.

Davide

On Jun 14, 2013, at 2:26 PM, <pedimo...@gmail.com> <pedimo...@gmail.com> wrote:

[Dayal Purohit]

wow! this is really nice.

d^3p