gitea icon indicating copy to clipboard operation
gitea copied to clipboard
verified publisher icon go-gitea

katex: allow `\htmlId`

Open nschloe opened this issue 2 years ago • 3 comments

Feature Description

In Gitea, it's possible to manually set the HTML id in elements, e.g.,

<h1 id="myHeader">My Header</h1>

My Header

Math equations can contain an ID as well, making it possible to link to them, see https://katex.org/docs/supported.html#html:

\[
\htmlId{my-equation}{x + y = z}
\]

For this to work, the \htmlId attribute must be explicitly enabled in KaTeX's config.

Screenshots

No response

nschloe avatar Oct 24 '23 15:10 nschloe

Math equations can contain an ID as well, making it possible to link to them, see https://katex.org/docs/supported.html#html:

https://katex.org/docs/supported.html#html

The following "raw HTML" features are potentially dangerous for untrusted inputs, so they are disabled by default, and attempting to use them produces the command names in red (which you can configure via the errorColor option). To fully trust your LaTeX input, you need to pass an option of trust: true; you can also enable just some of the commands or for just some URLs via the trust option.

So it can't be enabled for the instances with many users.

If you really need this feature, I think you could build your own Gitea instance to enable it.

wxiaoguang avatar Dec 06 '24 13:12 wxiaoguang

Yeah, I see the problem: If a user-provided ID collides with an existing ID, then the user-provided ID might be picked instead of ours. This is especially bad as there are some form.x = querySelector('#<id>').x inside the code. However, I do see an option for how we can circumvent these problems: If we reserve for example the katex- prefix for use by the math mode (IDs, classes, data attributes), then there is no harm to be done by defining your own IDs. I'm not sure, how is \htmlStyle dangerous? If I see that correctly, it only sets the style of your own element. How can you misuse that? The only thing I can think of is to request a background image from an untrusted website. But even then, what would be the worst-case scenario in this case? The malicious server receives your IP?

Apart from the style issue, it may be possible to ask KaTeX for a prefix for these things to elevate them from untrusted to trusted status.

delvh avatar Dec 06 '24 14:12 delvh

I've started a discussion on KaTeX, https://github.com/KaTeX/KaTeX/discussions/4001.

nschloe avatar Dec 10 '24 11:12 nschloe

We close issues that need feedback from the author if there were no new comments for a month. :tea:

GiteaBot avatar Jan 09 '25 13:01 GiteaBot