GHSA-qwj6-q94f-8425
MathLive's Lack of Escaping of HTML allows for XSS
Details
### Summary Despite normal text rendering as LaTeX expressions, preventing XSS, the library also provides users with commands which may modify HTML, such as the `\htmlData` command, and the lack of escaping leads to XSS.
### Details Overall in the code, other than in the `test` folder, no functions escaping HTML can be seen.
### PoC 1. Go to https://cortexjs.io/mathlive/demo/ 2. Paste either `\htmlData{><img/onerror=alert(1)"src=}{}` or `\htmlData{x=" ><img/onerror=alert(1) src>}{}` in the LaTeX textarea.
### Impact MathLive users who render untrusted mathematical expressions could encounter malicious input using \htmlData that runs arbitrary JavaScript, or generate invalid HTML.
Are you affected?
Enter the version of the package you're using.