golem/Math - Math - GOLEM git

Commit Graph

Author	SHA1	Message	Date
physikerwelt	6a0af8f3b4	Validate TeX input for all renderers, not just texvc The user input specified in the math tag a. la <math>E=m <script>alert('attacked')</script>^2 </math> is verified in PNG rendering mode, but not in plaintext, MathJax or LaTeXML rendering mode. This is a potential security issue. Furthermore, the texvc specific commands such as $\reals$ that is expanded to $\mathbb{R}$ might be rendered differently depended on the rendering mode. Therefore, the security checking and rewriting portion of texvc have been extracted from the texvc source (see I1650e6ec2ccefff6335fbc36bbe8ca8f59db0faa) and are now available as a separate executable (texvccheck). This commit will now enable this enhancement in security and provide even more compatibility among the different rendering modes. Bug: 49169 Change-Id: Ida24b6bf339508753bed40d2e218c4a5b7fe7d0c	2014-01-22 10:07:27 +00:00

Author

SHA1

Message

Date

physikerwelt

6a0af8f3b4

Validate TeX input for all renderers, not just texvc

The user input specified in the math tag a. la
<math>E=m <script>alert('attacked')</script>^2 </math>
is verified in PNG rendering mode, but not in plaintext, MathJax
or LaTeXML rendering mode. This is a potential security issue.

Furthermore, the texvc specific commands such as $\reals$
that is expanded to $\mathbb{R}$ might be rendered differently
depended on the rendering mode.

Therefore, the security checking and rewriting portion of texvc
have been extracted from the texvc source
(see I1650e6ec2ccefff6335fbc36bbe8ca8f59db0faa) and are
now available as a separate executable (texvccheck).

This commit will now enable this enhancement in security and
provide even more compatibility among the different rendering
modes.

Bug: 49169
Change-Id: Ida24b6bf339508753bed40d2e218c4a5b7fe7d0c

2014-01-22 10:07:27 +00:00

1 Commits