Disable dangerous \href and \style commands

MathJax's TeX input by default includes \href and \style commands, which can be
used to inject JavaScript and web bugs. Disabling them by overriding them with
named function macros.

Change-Id: Id21253e9d1621b5ec4e93e28361c498c484b1b7b
This commit is contained in:
Brion Vibber 2012-04-18 11:13:07 -07:00
parent c8a38b69bb
commit 6e110abf85

View file

@ -117,7 +117,9 @@ MathJax.Hub.Register.StartupHook("TeX Jax Ready",function () {
arccot: 'NamedFn',
arcsec: 'NamedFn',
arccsc: 'NamedFn',
bold: ['Macro','\\boldsymbol'] // boldsymbol
bold: ['Macro','\\boldsymbol'], // boldsymbol
href: 'NamedFn', // disable dangerous command
style: 'NamedFn' // disable dangerous command
}
});