- Reported
-
- Issued
-
- Package
-
ammonia
(crates.io)
- Type
-
Vulnerability
- Categories
-
- Keywords
-
#html
#xss
- Patched
-
>=4.1.3>=4.0.2, <4.1.0>=3.3.2, <4.0.0
Description
If a certain set of MathML tags are enabled, an attacker can inject arbitrary JavaScript code into the user's browser.
The annotation-xml tag has slightly different behavior than the other "integration point"
tags in MathML and SVG, but ammonia didn't handle it, so it didn't correctly
strip the namespace-incompatible tags.
This vulnerability only has an effect when the math and annotation-xml tags
are both enabled, but the encoding attribute is disabled, because it relies
on the following sequence of steps:
- User writes code like
<math><annotation-xml encoding="text/html"><gadget></annotation-xml></math>.
- Namespace filtering checks the DOM, and it passes.
<gadget> is parsed as HTML.
- Attribute filter strips it down to
<math><annotation-xml><gadget></annotation-xml></math>. Because the encoding attribute is gone, <gadget> is now parsed as MathML.
- The gadget is written in such a way that it exploits the parsing differences between HTML and MathML.
Additionally, the gadget can only be written using a tag that is parsed as raw text in HTML.
These elements are:
- title
- textarea
- xmp
- iframe
- noembed
- noframes
- plaintext
- noscript
- style
- script
Applications that do not explicitly allow any of these tags should not be affected, since none are allowed by default.
Discovered by: ivan0912 (YesWeHack) · Date: 2026-06-29 · Found via local differential analysis and source review of ammonia's sanitisation pipeline; no third-party systems were tested.
Advisory available under CC0-1.0
license.