patrick/KaTeX
1
0
Fork 0
mirror of https://github.com/Smaug123/KaTeX synced 2025-10-07 20:28:38 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
95d269032251a94a1c1d97f6a1b7c692798510ef
KaTeX/docs/security.md
Erik Demaine 3800dc49c1 [breaking] trust setting to indicate whether input text is trusted (#1794) 
* trust option to indicate whether input text is trusted

* Revamp into trust contexts beyond just command

* Document new trust function style

* Fix screenshot testing

* Use trust setting in \url and \href

* Check `isTrusted` in `\url` and `\href` (so now disabled by default)
* Automatically compute `protocol` from `url` in `isTrusted`, so it
  doesn't need to be passed into every context.

* Document untrusted features in support list/table

* Existing tests trust by default

* remove allowedProtocols and fix flow errors

* remove 'allowedProtocols' from documentation

* add a comment about a flow error, rename urlToProtocol to protocolFromUrl

* add tests test that use function version of trust option

* default trust to false in MathML tests

* fix test title, remove 'trust: false' from test settings since it's the default
2019-07-08 21:57:23 -04:00

865 B
Raw Blame History

id, title
id title
security Security

Any HTML generated by KaTeX should be safe from <script> or other code injection attacks.

Of course, it is always a good idea to sanitize the HTML, though you will need a rather generous whitelist (including some of SVG and MathML) to support all of KaTeX.

A variety of options give finer control over the security of KaTeX with untrusted inputs; refer to Options for more details.

  • maxSize can prevent large width/height visual affronts.
  • maxExpand can prevent infinite macro loop attacks.
  • trust can allow certain commands that are not always safe (e.g., \includegraphics)

The error message thrown by KaTeX may contain unescaped LaTeX source code. See Handling Errors for more details.

If you discovered a security issue, please let us know via https://hackerone.com/khanacademy