patrick/KaTeX
1
0
Fork 0
mirror of https://github.com/Smaug123/KaTeX synced 2025-10-10 13:38:39 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
5bdc960c87ac338a23a012b7be0d5fb89ed5a997
KaTeX/website/versioned_docs/version-0.12.0/security.md
ylemkimon c387b9c747 v0.12.0 release (#2302) 
* Release v0.12.0

Bump master to v0.12.1-pre

* Update CHANGELOG

* Uncomment ES module documentation

* Update CHANGELOG.md

Co-authored-by: Erik Demaine <edemaine@mit.edu>

* Update CHANGELOG.md

Co-authored-by: Erik Demaine <edemaine@mit.edu>
2020-07-13 05:46:01 +09:00

981 B
Raw Blame History

id, title, original_id
id title original_id
version-0.12.0-security Security security

Any HTML generated by KaTeX should be safe from <script> or other code injection attacks.

Of course, it is always a good idea to sanitize the HTML, though you will need a rather generous whitelist (including some of SVG and MathML) to support all of KaTeX.

A variety of options give finer control over the security of KaTeX with untrusted inputs; refer to Options for more details.

  • maxSize can prevent large width/height visual affronts.
  • maxExpand can prevent infinite macro loop attacks.
  • trust can allow certain commands that may load external resources or change HTML attributes and thus are not always safe (e.g., \includegraphics or \htmlClass)

The error message thrown by KaTeX may contain unescaped LaTeX source code. See Handling Errors for more details.

If you discovered a security issue, please let us know via https://hackerone.com/khanacademy