[breaking] trust setting to indicate whether input text is trusted (#1794)

* trust option to indicate whether input text is trusted * Revamp into trust contexts beyond just command * Document new trust function style * Fix screenshot testing * Use trust setting in \url and \href * Check `isTrusted` in `\url` and `\href` (so now disabled by default) * Automatically compute `protocol` from `url` in `isTrusted`, so it doesn't need to be passed into every context. * Document untrusted features in support list/table * Existing tests trust by default * remove allowedProtocols and fix flow errors * remove 'allowedProtocols' from documentation * add a comment about a flow error, rename urlToProtocol to protocolFromUrl * add tests test that use function version of trust option * default trust to false in MathML tests * fix test title, remove 'trust: false' from test settings since it's the default
2025-10-13 15:08:39 +00:00 · 2019-07-08 21:57:23 -04:00
parent fc79f79c78
commit 3800dc49c1
16 changed files with 352 additions and 62 deletions
--- a/docs/supported.md
+++ b/docs/supported.md
@@ -101,6 +101,13 @@ The `{array}` environment does not yet support `\cline` or `\multicolumn`.

 ## HTML

+The following "raw HTML" features are potentially dangerous for untrusted
+inputs, so they are disabled by default, and attempting to use them produces
+the command names in red (which you can configure via the `errorColor`
+[option](options.md)).  To fully trust your LaTeX input, you need to pass
+an option of `trust: true`; you can also enable just some of the commands
+or for just some URLs via the `trust` [option](options.md).
+
 |||
 |:----------------|:-------------------|
 | $\href{https://katex.org/}{\KaTeX}$ | `\href{https://katex.org/}{\KaTeX}` |