bookdown icon indicating copy to clipboard operation
bookdown copied to clipboard
verified publisher icon rstudio

[FR] Update MathJax src in gitbook template to latest version of 2.7

Open scarnecchia opened this issue 3 years ago • 3 comments

PR #937 is looking into making the MathJax version customizable. In the meantime, the template files reference the version hosted at https://mathjax.rstudio.com/latest/. Currently this is MathJax.js 2.7.2. Versions prior to 2.7.4 contain an XSS vulnerability (CVE-2018-1999024)

There's also a issue open to patch the embedded version in RStudio.

A simple way to patch this issue would be to update the src in the gitbook (and bs4) templates to point to another source to ensure that the resulting webpages are pulling the latest version of the 2.7.x family, such as: https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.9/MathJax.js?config=TeX-MML-AM_CHTML

Other than the fact that bookdown is maintained by RStudio, is there a particular reason for pointing to https://mathjax.rstudio.com/latest/?

If not, I'm happy to open a PR and make the updates.

scarnecchia avatar Jun 29 '22 21:06 scarnecchia

Thanks for the report! We'd welcome a PR to use the latest 2.7.x.

Other than the fact that bookdown is maintained by RStudio, is there a particular reason for pointing to https://mathjax.rstudio.com/latest/?

We started to host MathJax shortly after the original MathJax CDN was shut down a few years ago: https://www.mathjax.org/cdn-shutting-down/ The goal was that https://mathjax.rstudio.com/latest/ always points to the latest version of MathJax, but apparently our IT failed to do so at some point. @cderv Could you file a ticket? Thanks!

yihui avatar Jun 30 '22 01:06 yihui

It is already filled there since some time to move to 3: https://github.com/rstudio/rstudio/issues/8715

I believe updated the hosted version must be synced with IDE update too. AFAIK.

Just recently update to latest 2.7 is on the todo: https://github.com/rstudio/rstudio/issues/11535 as linked by @scarnecchia

I added a comment so that we are sure to do both.

cderv avatar Jun 30 '22 08:06 cderv

I've implemented the change on a fork, I'll create a PR, but I assume you may hold off merging until we see a response to @cderv's question on rstudio/rstudio#11535—it strikes me as more efficient if your IT can update the hosted version upstream.

scarnecchia avatar Jun 30 '22 12:06 scarnecchia

closed by #1355

cderv avatar Aug 24 '22 09:08 cderv

This old thread has been automatically locked. If you think you have found something related to this, please open a new issue by following the issue guide (https://yihui.org/issue/), and link to this old issue if necessary.

github-actions[bot] avatar Mar 08 '23 05:03 github-actions[bot]