mirror of
https://github.com/Smaug123/KaTeX
synced 2025-10-09 13:08:40 +00:00
3800dc49c1
* trust option to indicate whether input text is trusted * Revamp into trust contexts beyond just command * Document new trust function style * Fix screenshot testing * Use trust setting in \url and \href * Check `isTrusted` in `\url` and `\href` (so now disabled by default) * Automatically compute `protocol` from `url` in `isTrusted`, so it doesn't need to be passed into every context. * Document untrusted features in support list/table * Existing tests trust by default * remove allowedProtocols and fix flow errors * remove 'allowedProtocols' from documentation * add a comment about a flow error, rename urlToProtocol to protocolFromUrl * add tests test that use function version of trust option * default trust to false in MathML tests * fix test title, remove 'trust: false' from test settings since it's the default
22 lines
865 B
Markdown
22 lines
865 B
Markdown
---
|
|
id: security
|
|
title: Security
|
|
---
|
|
Any HTML generated by KaTeX *should* be safe from `<script>` or other code
|
|
injection attacks.
|
|
|
|
Of course, it is always a good idea to sanitize the HTML, though you will need
|
|
a rather generous whitelist (including some of SVG and MathML) to support
|
|
all of KaTeX.
|
|
|
|
A variety of options give finer control over the security of KaTeX
|
|
with untrusted inputs; refer to [Options](options.md) for more details.
|
|
* `maxSize` can prevent large width/height visual affronts.
|
|
* `maxExpand` can prevent infinite macro loop attacks.
|
|
* `trust` can allow certain commands that are not always safe (e.g., `\includegraphics`)
|
|
|
|
The error message thrown by KaTeX may contain unescaped LaTeX source code.
|
|
See [Handling Errors](error.md) for more details.
|
|
|
|
> If you discovered a security issue, please let us know via https://hackerone.com/khanacademy
|