Lucas_Werkmeister_WMDE added a comment.
So to summarize T233213: XSS in Wikidata Query Service UI <https://phabricator.wikimedia.org/T233213> (which is now public): The old implementation directly injected the markup from the MathML value into the page, which amounted to an XSS vulnerability if that markup was not pure MathML (e. g. if it contained a `<script>` element). To fix this without completely breaking math markup, I implemented MathML rendering using MathJax – v3 is thankfully easier to bundle than v2, so the problems I had in T214980#4918833 <https://phabricator.wikimedia.org/T214980#4918833> were no longer an issue – and we deployed this about a week ago. Besides fixing the XSS issue, this also has the pleasant effect of enabling MathML rendering in other browsers supported by MathJax, including Chrome. (It also produces different rendering in Firefox than the previous native rendering.) Strictly speaking, that resolves this task. However, @Physikerwelt points out that this leaves us with two different ways to render math in the wiki world – Mathoid, which I believe uses MathJax 2 and is used on-wiki, and MathJax 3 in the query service. (Note that they don’t fulfill the same job, though: Mathoid renders TeX(-like?) input, whereas in the query service we need to render MathML, though in practice this MathML has usually been generated by Mathoid from TeX input on Wikidata.) One way to resolve this would be to actually use Mathoid in the query service UI: enable its MathML input type (which is apparently supported but not currently enabled in RESTBase), then each time we want to render a formula, send it to Mathoid and add the resulting… image? HTML? to the page. But this would potentially require a //lot// of network requests – I believe queries with math results are fairly rare, but when they are made, they often include hundreds of results. Another approach would be to bring Mathoid where the query service UI is today, in a sense, by migrating it to MathJax 3. I believe that’s the subject of T237516: Update to MathJax 3 <https://phabricator.wikimedia.org/T237516>. Did I miss anything? TASK DETAIL https://phabricator.wikimedia.org/T214980 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Lucas_Werkmeister_WMDE Cc: Smalyshev, Physikerwelt, Aklapper, Lucas_Werkmeister_WMDE, darthmon_wmde, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, EBjune, merbst, LawExplorer, Salgo60, _jensen, rosalieper, Scott_WUaS, Jonas, Xmlizer, jkroll, Wikidata-bugs, Jdouglas, aude, Tobias1984, Manybubbles, Lydia_Pintscher, Mbch331
_______________________________________________ Wikidata-bugs mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
