safety of jsmath on a wiki

Help
Joey Hess
2010-08-30
2013-04-29
  • Joey Hess
    Joey Hess
    2010-08-30

    Hello, I am considering integrating jsMath support into my wiki engine, IkiWiki (http://ikiwiki.info).

    IkiWiki strives to prevent users from putting arbitrary javascript onto wiki pages, in order to avoid the classes of security holes that can be exploited by letting untrusted users add javascript to a site.

    My question is whether jsMath is suitable to be used in such a wiki setting. Has it been written in a way that can resonably surely guarantee that input TeX cannot be crafted to cause arbitrary javascript or html to be generated/run? Would you treat bugs
    that allowed that to happen as security holes? Have there been any in the past?

    Thanks,
    Joey Hess <joey@ikiwiki.info>

     
  • The TeX input can't be crafted to cause arbitrary javascript to run (unless the user already has access to javascript earlier in the page, or has access to the jsMath files on the server).  Yes, this would be considered a security issue.  I am not aware of any such occurrences in the past.

    As for arbitrary HTML, jsMath expects non-mathematics formatting to be done via HTML rather than TeX commands, so it does not process TeX commands in text mode, such as within an \hbox{}.  Under some circumstances, an author can use HTML within text mode to format the text content.  If you are using the tex2math preprocessor, then there can be no HTML tags (other than <br>) within the mathematics, so this is not possible, but if you are using explicit <SPAN CLASS="math">…</SPAN> and <DIV CLASS="math">…</DIV> tags, then the mathematics can contain such formatting HTML.  (Of course, if you are filtering them out as part of your wiki software, then there is no problem). 

    When the tex2math preprocessor is used, there is a special notation available for allowing HTML within the mathematics, but that is disabled by default.  You would need to change the safeHBoxes setting in the easy/load.js file to open up that security hole.

    There is an extension that allows insertion of CSS id, class, or style information, and one that provides the ability to control border and background styles.  These are loaded on demand when those features are used in the TeX that is part of the page.  The parameters for these are checked for <, >, and &, so they should not be able to be used to insert arbitrary HTML.

    So I think the answer to your question is "no", jsMath can't be used to insert arbitrary HTML, either. 

    Davide