The user input specified in the math tag a. la
<math>E=m <script>alert('attacked')</script>^2 </math>
is verified in PNG rendering mode, but not in plaintext, MathJax
or LaTeXML rendering mode. This is a potential security issue.
Furthermore, the texvc specific commands such as $\reals$
that is expanded to $\mathbb{R}$ might be rendered differently
depended on the rendering mode.
Therefore, the security checking and rewriting portion of texvc
have been extracted from the texvc source
(see I1650e6ec2ccefff6335fbc36bbe8ca8f59db0faa) and are
now available as a separate executable (texvccheck).
This commit will now enable this enhancement in security and
provide even more compatibility among the different rendering
modes.
Bug: 49169
Change-Id: Ida24b6bf339508753bed40d2e218c4a5b7fe7d0c
Many things in MediaWiki (and various on-wiki templates, at least on
enwiki) output error messages wrapped in <strong class="error">. MathJax
parsing all of these (added in I1199cb34) is completely broken.
What appears to have been intended is that MathJax would parse the
errors output by MathRenderer.php. So let's add a "texerror" class to
those and have MathJax look for that class instead.
Bug: 55675
Change-Id: Iaa6c3a892af463f38e6706f9407c6dcb948fe670
texvc had several tasks in the past:
1 checking the input
2 convert MediaWiki custom syntax to standard LaTeX
3 run LaTeX
4 convert dvi2png
This change provides a simplified version that performs
only steps 1+2. This is required to avoid security problems
with tools like MathJax, especially if these tools are
run at the server-side.
Bug: 54624
Change-Id: I1650e6ec2ccefff6335fbc36bbe8ca8f59db0faa
This patch adds wfDebugLog() calls for conditions related to texvc invocations.
The logs are grouped under a 'texvc' group, added for this purpose. The reason
for logging into a separate channel is that the Math channel is too verbose for
production use on the Wikimedia cluster.
Change-Id: I05a17a0230f49f5d698b91617d06b3e3f838b67d
Uses nodejs to call phantomjs that renders the
tex input using MathJax and returns a json object
that includes both the SVG and the MathML
representation.
The project was forked from
https://github.com/agrbin/svgtex.
Co-Authored-By: Gabriel Wicke <gwicke@wikimedia.org>
Co-Authored-By: Moritz Schubotz <wiki@physikerwelt.de>
Change-Id: Ie5f24006c3aacd8f61f48ca275acd63a418d7529
Make LaTeXML setting configurable with the new global
variable $wgDefaultLaTeXMLSetting.
PS: This variable can be specified as an array or a
string. If specified as an array, the
array('a'=>'b','c'=>array('e','f'))
would be transformed to the equivalent setting
a=b&c=e&c=f
,which is the input format for the LaTeXML daemon.
Change-Id: I2869df27cee83b426c6eb2312306fac9d6203ef2
