mirror of
https://gerrit.wikimedia.org/r/mediawiki/extensions/Math
synced 2024-09-23 10:21:31 +00:00
6a0af8f3b4
The user input specified in the math tag a. la
<math>E=m <script>alert('attacked')</script>^2 </math>
is verified in PNG rendering mode, but not in plaintext, MathJax
or LaTeXML rendering mode. This is a potential security issue.
Furthermore, the texvc specific commands such as $\reals$
that is expanded to $\mathbb{R}$ might be rendered differently
depended on the rendering mode.
Therefore, the security checking and rewriting portion of texvc
have been extracted from the texvc source
(see I1650e6ec2ccefff6335fbc36bbe8ca8f59db0faa) and are
now available as a separate executable (texvccheck).
This commit will now enable this enhancement in security and
provide even more compatibility among the different rendering
modes.
Bug: 49169
Change-Id: Ida24b6bf339508753bed40d2e218c4a5b7fe7d0c
52 lines
1.1 KiB
PHP
52 lines
1.1 KiB
PHP
<?php
|
|
/**
|
|
* MediaWiki math extension
|
|
*
|
|
* (c) 2002-2014 Tomasz Wegrzanowski, Brion Vibber, Moritz Schubotz, and other MediaWiki contributors
|
|
* GPLv2 license; info in main package.
|
|
*
|
|
* @author Moritz Schubotz
|
|
*/
|
|
abstract class MathInputCheck {
|
|
protected $inputTeX;
|
|
protected $validTeX;
|
|
protected $isValid = false;
|
|
protected $lastError = null;
|
|
|
|
/**
|
|
* Default constructor
|
|
* (performs no checking)
|
|
* @param String $tex the TeX InputString to be checked
|
|
*/
|
|
public function __construct( $tex = '' ) {
|
|
$this->inputTeX = $tex;
|
|
$this->isValid = false;
|
|
}
|
|
|
|
/**
|
|
* Returns true if the TeX input String is valid
|
|
* @return boolean
|
|
*/
|
|
public function isValid() {
|
|
return $this->isValid;
|
|
}
|
|
|
|
/**
|
|
* Returns the string of the last error.
|
|
* @return string
|
|
*/
|
|
public function getError() {
|
|
return $this->lastError;
|
|
}
|
|
|
|
/**
|
|
* Some TeX checking programs may return
|
|
* a modified tex string after having checked it.
|
|
* You can get the altered tex string with this method
|
|
* @return string A valid Tex string
|
|
*/
|
|
public function getValidTex() {
|
|
return $this->validTeX;
|
|
}
|
|
}
|