mirror of
https://gerrit.wikimedia.org/r/mediawiki/extensions/Math
synced 2024-11-27 17:01:07 +00:00
Disable dangerous \href and \style commands
MathJax's TeX input by default includes \href and \style commands, which can be used to inject JavaScript and web bugs. Disabling them by overriding them with named function macros. Change-Id: Id21253e9d1621b5ec4e93e28361c498c484b1b7b
This commit is contained in:
parent
c8a38b69bb
commit
6e110abf85
4
modules/MathJax/extensions/TeX/texvc.js
vendored
4
modules/MathJax/extensions/TeX/texvc.js
vendored
|
@ -117,7 +117,9 @@ MathJax.Hub.Register.StartupHook("TeX Jax Ready",function () {
|
|||
arccot: 'NamedFn',
|
||||
arcsec: 'NamedFn',
|
||||
arccsc: 'NamedFn',
|
||||
bold: ['Macro','\\boldsymbol'] // boldsymbol
|
||||
bold: ['Macro','\\boldsymbol'], // boldsymbol
|
||||
href: 'NamedFn', // disable dangerous command
|
||||
style: 'NamedFn' // disable dangerous command
|
||||
}
|
||||
|
||||
});
|
||||
|
|
Loading…
Reference in a new issue