logo

Database

Reflected cross-site scripting (XSS) In ammonia

Description

mXSS in ammonia via MathML annotation-xml encoding strip If a certain set of MathML tags are enabled, an attacker can inject arbitrary JavaScript code into the user's browser.

The annotation-xml tag has slightly different behavior than the other "integration point" tags in MathML and SVG, but ammonia didn't handle it, so it didn't correctly strip the namespace-incompatible tags.

This vulnerability only has an effect when the math and annotation-xml tags are both enabled, but the encoding attribute is disabled, because it relies on the following sequence of steps:

    User writes code like <math><annotation-xml encoding="text/html"><gadget></annotation-xml></math>.

    Namespace filtering checks the DOM, and it passes. <gadget> is parsed as HTML.

    Attribute filter strips it down to <math><annotation-xml><gadget></annotation-xml></math>. Because the encoding attribute is gone, <gadget> is now parsed as MathML.

    The gadget is written in such a way that it exploits the parsing differences between HTML and MathML.

Additionally, the gadget can only be written using a tag that is parsed as raw text in HTML. These elements are:

    title

    textarea

    xmp

    iframe

    noembed

    noframes

    plaintext

    noscript

    style

    script

Applications that do not explicitly allow any of these tags should not be affected, since none are allowed by default.


Discovered by: ivan0912 (YesWeHack) · Date: 2026-06-29 · Found via local differential analysis and source review of ammonia's sanitisation pipeline; no third-party systems were tested.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Component
Affected version
Patched versions