The user input specified in the math tag a. la
<math>E=m <script>alert('attacked')</script>^2 </math>
is verified in PNG rendering mode, but not in plaintext, MathJax
or LaTeXML rendering mode. This is a potential security issue.
Furthermore, the texvc specific commands such as $\reals$
that is expanded to $\mathbb{R}$ might be rendered differently
depended on the rendering mode.
Therefore, the security checking and rewriting portion of texvc
have been extracted from the texvc source
(see I1650e6ec2ccefff6335fbc36bbe8ca8f59db0faa) and are
now available as a separate executable (texvccheck).
This commit will now enable this enhancement in security and
provide even more compatibility among the different rendering
modes.
Bug: 49169
Change-Id: Ida24b6bf339508753bed40d2e218c4a5b7fe7d0c
This patch adds wfDebugLog() calls for conditions related to texvc invocations.
The logs are grouped under a 'texvc' group, added for this purpose. The reason
for logging into a separate channel is that the Math channel is too verbose for
production use on the Wikimedia cluster.
Change-Id: I05a17a0230f49f5d698b91617d06b3e3f838b67d
* Remove parameters/append that are never outputted by texvc.ml
* Add missing math_output_error to i18n file
* Improve a few qqq descriptions
Change-Id: Iea5139682fbe8389e578549f5f62e5505f4c0b48
Adds a new method isChanged() for determining if a value was changed.
This is done in preparation for a more elaborated caching method that is
handled inside the abstract base class.
Change-Id: Ica15f77d96453d30edd3a117c7185c694ad3691e
Moves writeCache call back to hooks (changed in 9ba4ef269d)
and makes it unconditional, so only one part of the code decides
whether to write to the cache.
Bug: 45973
Change-Id: I6b387795304ff15c960fcf0f5354a9ac939e1212
Change I9b1d68c4faa8d177d8d0088fa1a5879caed4f1fe added an indiscriminant call
to writeCache(). I assume that it was supposed to be regulated by the check for
$this->isRecall() (which is a getter for '$this->recall'), but there was no
concomitant change to ensure that recall is set true on cache hits.
My fix does not set recall to true. The style of "pass-by-attribute" is tricky
and should be factored out by a subsequent change. This change moves the call
to writeCache() so that it is only called on cache miss.
Change-Id: I9b690e55001859c97fd40330272791d49ec6de75
* This was changed in 926db7c3bd as a workaround for a testing issue.
* See 8cbd679aac781bdd73038064261736a937645fc1 , which fixes the test harness in core .
Change-Id: Ib57cafee35a699ce875ee4bc8951781e1a37553a
The Math.body file which contains the MathRender class was split in the following way:
- Math.base contains the base class with the database related stuff and provides an abstract interface
- Math.source and Math.MathJax handle the plain tex string output. There are two classes since they
will differntiate in the future I think.
- Math.texvc contains the "old" implementation of png generation with all the file handling related stuff
- Other implementation of math renderer can be added in the same style.
- Cleanup to better follow coding conventions.
- Changed LockManager to 'fsLockManager'
The first attempt restructure the class layout and introduce LaTeXML at the same
time was dropped. Instead this was split up into two phases.
This commit only deals about the restructuring of the math module design.
Change-Id: I9b1d68c4faa8d177d8d0088fa1a5879caed4f1fe
