pages-gem icon indicating copy to clipboard operation
pages-gem copied to clipboard

Published 20 hours ago verified publisher icon github

Allow the kramdown math engine to be overridden

Open stevenkaras opened this issue 7 years ago • 6 comments
trafficstars

This will allow the use of the nil math engine in kramdown, which provides a saner default for templates that don't want mathjax but want a safe fallback for when javascript is disabled.

From the history of this repo, the math engine used to be changeable up until 2 years ago when kramdown became the primary/only markdown engine. I have not checked if the version of kramdown used back then even had multiple math engines.

stevenkaras avatar Mar 19 '18 20:03 stevenkaras

+1. Please allow this the math engine to be disabled completely. I use KaTeX, which is lighter and substantially preferable than MathJax for my site.

aterenin avatar Mar 26 '18 14:03 aterenin

Hey! I'd be happy to accept this PR with the following condition: we override any non-nil math engine to mathjax. We cannot permit server-side processing of kramdown's math engines at this time, so setting math_engine: katex should be overwritten to mathjax. If math_engine: null, then we can leave it.

parkr avatar Jul 02 '18 18:07 parkr

The docs seem to indicate that the KaTeX engine is intended for untrusted user input. Of course, the PR as it stands now would also allow the sskatex engine, which is explicitly insecure.

Perhaps a better way would be to list permitted options, with the first as a default? That would be a more flexible solution moving forward, and keep the current declarative style.

stevenkaras avatar Jul 08 '18 06:07 stevenkaras

@stevenkaras, any progress on this?

I also prefer allowing katex as an option so clients don't need to have javascript enabled, but if it requires a lengthy audit of that gem by GitHub, I'd take the nil-or-mathjax solution to no solution at all.

mahrud avatar Jun 04 '19 09:06 mahrud

I don't think we can do any security auditing of new gems, so I'd like to simply allow you to unset the math engine, i.e. allowed values are nil and mathjax. This is due to amount of time that goes into auditing these new gems for untrusted user input. We have to do our due diligence to keep our users safe, and we can't commit to that at this time.

Allowing the math_engine to be nil is fine by me.

parkr avatar Jun 04 '19 15:06 parkr

That sounds reasonable. I don't have access to this PR, so opened a new one off of master with your requested changes.

mahrud avatar Jun 04 '19 17:06 mahrud