If a certain set of MathML tags are enabled, an attacker can inject arbitrary JavaScript code into the user's browser.
The annotation-xml tag has slightly different behavior than the other "integration point"
tags in MathML and SVG, but ammonia didn't handle it, so it didn't correctly
strip the namespace-incompatible tags.
This vulnerability only has an effect when the math and annotation-xml tags
are both enabled, but the encoding attribute is disabled, because it relies
on the following sequence of steps:
<math><annotation-xml encoding="text/html"><gadget></annotation-xml></math>.<gadget> is parsed as HTML.<math><annotation-xml><gadget></annotation-xml></math>. Because the encoding attribute is gone, <gadget> is now parsed as MathML.Additionally, the gadget can only be written using a tag that is parsed as raw text in HTML. These [elements] are:
Applications that do not explicitly allow any of these tags should not be affected, since none are allowed by default.
Discovered by: ivan0912 (YesWeHack) · Date: 2026-06-29 · Found via local differential analysis and source review of ammonia's sanitisation pipeline; no third-party systems were tested.
{
"license": "CC0-1.0"
}