AIKIDO-2026-11112

TL;DR

mathlive converts LaTeX into HTML and MathML for the editor, convertLatexToMarkup, and <math-span> / <math-div> static elements. The \text{} and \mbox{} commands accept arbitrary characters that were concatenated into markup without HTML escaping in both output paths. When applications render untrusted LaTeX and insert the result into the DOM, payloads such as embedded <img> tags with event handlers can execute arbitrary JavaScript. The fix escapes text-mode content and MathML text nodes so angle brackets and ampersands cannot break out of element content.