On Wed, Jun 24, 2026 at 11:19 AM Frédéric Wang Nélar <[email protected]> wrote:
> Thanks, that's a good question I think currently the WG wants to be > consistent and follow SVG/HTML. Meng Tan opened an issue in the spec repo > for discussion: https://github.com/w3c/mathml-core/issues/333 > Thanks! If they decide to support javascript: URL: we should make sure the same > mitigation as for HTML/SVG exists and are covered by tests (e.g. handling > by the sanitizer API or trusted types spec). > Yes. I also think it needs to be communicated clearly: This is new markup that executes unconstrained Javascript in an arguably surprising way, and is an instant bypass for any 3rd-party sanitizer or linter (if they support MathML at all). External sanitizer libraries are still much more common than either TT or the built-in HTML Sanitizer. We should at least give people a proper heads-up if we go this route. > Le 23/06/2026 à 19:28, 'Daniel Vogelheim' via blink-dev a écrit : > > Hi, > > Will this support navigating to javascript:-URLs? > > Navigating to javascript:-URLs is an existing mis-feature in the > platform, which will execute the given script in the context of the current > document and is a popular XSS gadget. Your intent mentions "consistent > link handling across HTML, SVG, and MathML", which would suggest to me that > javascript:-URLs are supported. But then, I can't find any definite > statement for or against in the intent. > > From a security perspective it'd be better to drop javascript:-URLs; > however, this would admittedly come at the expense of consistency. > > > > On Wed, Jun 17, 2026 at 7:50 AM tannal <[email protected]> wrote: > >> Contact emails >> [email protected] >> >> Explainer >> https://people.igalia.com/fwang/mathml-a-href >> >> Specification >> https://w3c.github.io/mathml-core/#the-a-element >> >> Design docs >> None >> >> Summary >> Introduces the <a> element within the MathML namespace exposed via the >> new MathMLAnchorElement WebIDL interface which inherits from MathMLElement. >> This feature aligns MathML hyperlink capabilities with HTMLAnchorElement >> and SVGAElement to ensure consistent link handling across HTML, SVG, and >> MathML. >> >> Blink component >> Blink>MathML >> >> Web Feature ID >> Missing feature >> >> Motivation >> Linking is an important web feature and support is highly desired for >> MathML (e.g. to be able to create links on different parts of a >> mathematical expression). In the past, href was supported on all MathML >> elements to allow that (in MathML2 in the XLink namespace, and in MathML3 >> the default namespace) but some concerns were raised this was a bit too >> intrusive, because we have to do privacy mitigation ( >> https://github.com/w3c/mathml-core/issues/142 ), handle it specially in >> the the sanitizer API. We need a new <a> element for MathML to enable >> hyperlinks in mathematical expression >> >> Initial public proposal >> https://github.com/w3c/mathml-core/pull/307 >> >> Goals for experimentation >> None >> >> Requires code in //chrome? >> False >> >> Tracking bug >> https://issues.chromium.org/u/1/issues/510487697 >> >> Estimated milestones >> No milestones specified >> >> >> >> Anticipated spec changes >> Open questions about a feature may be a source of future web compat or >> interop issues. Please list open issues (e.g. links to known github issues >> in the project for the feature specification) whose resolution may >> introduce web compat/interop risk (e.g., changing to naming or structure of >> the API in a non-backward-compatible way). >> >> https://github.com/w3c/mathml-core/issues/142 >> https://github.com/w3c/mathml-core/pull/307 >> >> Link to entry on the Chrome Platform Status >> https://chromestatus.com/feature/6543819626643456?gate=6269974827106304 >> >> This intent message was generated by Chrome Platform Status. -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/398b6ab3-d82d-4600-ab3d-cdc98761c39en%40chromium.org >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/398b6ab3-d82d-4600-ab3d-cdc98761c39en%40chromium.org?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPM8DSi4y3ZY-xeYQdR%3DEXDoqKT3Q1koxzXem%2BfzW3Mwgw%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPM8DSi4y3ZY-xeYQdR%3DEXDoqKT3Q1koxzXem%2BfzW3Mwgw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/b5d9ad91-8342-4858-a9c4-87c9bea21cae%40igalia.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/b5d9ad91-8342-4858-a9c4-87c9bea21cae%40igalia.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPNYBoqgN4Pwazu-hUbq-n6P-BNnWMk9%2Br4r3kOuQJuAVw%40mail.gmail.com.
