Bug: CSS injection through font-family in unicode command.

[opcode86]

Issue Summary

A user is able to inject custom CSS even if commands like \style is disabled. The style gets rendered into the style attribute of the element containing the unicode character.

This occurs because the font-family is not correctly sanatized and only ' characters are escaped. Whatever is passed as the fontFamily gets shoved into the style attribute.

Steps to Reproduce

1. Go to any website that uses MathJax and allows the \unicode command.
2. Enter the following code into the parser \unicode[some-font; color:red; height: 100000px;]{x1234}.

Technical details

• MathJax Version: 3.2.2 (latest commit: 8565f9da973238e4c9571a86a4bcb281b1d98d9b)
• Client OS: Windows 10 Education 19045.3570
• Browser: Chrome 119.0.6045.123

[dpvc]

Thanks for your report, and minimal example. I will make a PR to correct the issue.

If you are allowing user input to be displayed, it is probably best to use the safe extension to help reduce the problems that can be caused by a malevolent user. Unfortunately, it doesn't handle this particular issue, but you can configure it to do so yourself using the following configuration:

MathJax = {
  loader: {load: ['ui/safe']},
  startup: {
    ready() {
      MathJax.startup.defaultReady();
      const safe = MathJax.startup.document.safe;
      safe.filterAttributes.set('fontfamily', 'filterFamily');
      safe.filterMethods.filterFamily = function (safe, family) {
        return family.split(/;/)[0];
      };
    }
  }
};

This will filter the fontfamily attribute (where the unicode extension puts the font) to remove the first ; and anything following that. You could have it return null when there is a semicolon in the font name to have the safe extension remove the fontfamily attribute entirely.