From 6e110abf8585d36d9fddf30175316b63bd915e9c Mon Sep 17 00:00:00 2001
From: Brion Vibber <brion@pobox.com>
Date: Wed, 18 Apr 2012 11:13:07 -0700
Subject: [PATCH] Disable dangerous \href and \style commands

MathJax's TeX input by default includes \href and \style commands, which can be
used to inject JavaScript and web bugs. Disabling them by overriding them with
named function macros.

Change-Id: Id21253e9d1621b5ec4e93e28361c498c484b1b7b
---
 modules/MathJax/extensions/TeX/texvc.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/modules/MathJax/extensions/TeX/texvc.js b/modules/MathJax/extensions/TeX/texvc.js
index 2317c82..d506867 100644
--- a/modules/MathJax/extensions/TeX/texvc.js
+++ b/modules/MathJax/extensions/TeX/texvc.js
@@ -117,7 +117,9 @@ MathJax.Hub.Register.StartupHook("TeX Jax Ready",function () {
       arccot:             'NamedFn',
       arcsec:             'NamedFn',
       arccsc:             'NamedFn',
-      bold:               ['Macro','\\boldsymbol']  // boldsymbol
+      bold:               ['Macro','\\boldsymbol'],  // boldsymbol
+      href: 'NamedFn', // disable dangerous command
+      style: 'NamedFn' // disable dangerous command
     }
 
   });