GHSA-qwj6-q94f-8425: 
JavaScript vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability was discovered in MathLive library versions 0.103.0 and earlier. The vulnerability stems from insufficient HTML escaping in the \htmlData command, despite the library's general protection against XSS through LaTeX expression rendering (GitHub Advisory). This security issue was disclosed on January 18, 2025, and affects the npm package 'mathlive'.

The vulnerability exists due to the absence of proper HTML escaping functions in the codebase, particularly in the \htmlData command implementation. The issue allows for direct HTML manipulation without proper sanitization, potentially enabling XSS attacks. The vulnerability has been assigned a moderate severity rating (GitHub Advisory).

The vulnerability could allow attackers to execute arbitrary JavaScript code in the context of users' browsers through the manipulation of HTML content via the \htmlData command. This could potentially lead to unauthorized access to user data, session hijacking, or other malicious activities typically associated with XSS attacks (GitHub Advisory).

The vulnerability has been patched in version 0.104.0 of the MathLive library. The fix includes the implementation of proper HTML sanitization functions for attribute names and values, particularly in the handling of the \htmlData command (GitHub Commit). Users are advised to upgrade to this version or later to mitigate the risk.