enhance: allow MathML core elements (#38034)

Fixes #36352.

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>

modules/markup/sanitizer_default.go

@@ -63,6 +63,38 @@ func (st *Sanitizer) createDefaultPolicy() *bluemonday.Policy {
 
 	policy.AllowAttrs("loading").OnElements("img")
 
+	// MathML Core (https://www.w3.org/TR/mathml-core/)
+	mathMLElements := []string{
+		"math",
+		// token elements
+		"mi", "mn", "mo", "mtext", "mspace", "ms",
+		// layout elements
+		"mrow", "mfrac", "msqrt", "mroot", "mstyle", "merror", "mpadded", "mphantom",
+		// scripting elements
+		"msub", "msup", "msubsup", "munder", "mover", "munderover", "mmultiscripts", "mprescripts", "none",
+		// tabular elements
+		"mtable", "mtr", "mtd",
+		// semantic annotations
+		"semantics", "annotation", "annotation-xml",
+	}
+	policy.AllowAttrs("display", "alttext").OnElements("math")
+	policy.AllowAttrs(
+		// global presentation attributes
+		"dir", "displaystyle", "mathbackground", "mathcolor", "mathsize", "mathvariant", "scriptlevel",
+		// operator attributes
+		"accent", "accentunder", "fence", "form", "largeop", "lspace", "maxsize", "minsize", "movablelimits", "rspace", "separator", "stretchy", "symmetric",
+		// space and padding attributes
+		"depth", "height", "voffset", "width",
+		// fraction attribute
+		"linethickness",
+		// table attributes
+		"columnalign", "columnlines", "columnspacing", "frame", "framespacing", "rowalign", "rowlines", "rowspacing",
+		// cell attributes
+		"columnspan",
+		// annotation attribute
+		"encoding",
+	).OnElements(mathMLElements...)
+
 	// Allow generally safe attributes (reference: https://github.com/jch/html-pipeline)
 	generalSafeAttrs := []string{
 		"abbr", "accept", "accept-charset",

modules/markup/sanitizer_default_test.go

@@ -61,6 +61,9 @@ func TestSanitizer(t *testing.T) {
 		// picture
 		`<picture><source media="a"><source media="b"><img alt="c" src="d"></picture>`, `<picture><source media="a"><source media="b"><img alt="c" src="d"></picture>`,
 
+		// MathML
+		`<math display="display" class="foo"><mi mathcolor="c" class="bar"></mi></math>`, `<math display="display"><mi mathcolor="c"></mi></math>`,
+
 		// Disallow dangerous url schemes
 		`<a href="javascript:alert('xss')">bad</a>`, `bad`,
 		`<a href="vbscript:no">bad</a>`, `bad`,
@@ -72,6 +75,6 @@ func TestSanitizer(t *testing.T) {
 	}
 
 	for i := 0; i < len(testCases); i += 2 {
-		assert.Equal(t, testCases[i+1], string(Sanitize(testCases[i])))
+		assert.Equal(t, testCases[i+1], string(Sanitize(testCases[i])), "input: %s", testCases[i])
 	}
 }