Fix HTML sanitization escape via math syntax errors.

By default, invoke KaTeX in ‘throwOnError:false‘ mode, so that it will produce _something_ from any input, and in particular, something which is guaranteed not to allow any live HTML tags through from the input. (Unless you are using ‘trust:true‘, in which case you presumably know what you are doing and why.) throwOnError:true mode can be re-enabled with plugin options, but then this plugin will **not** catch any exceptions that are thrown, leaving recovery up to a higher level. Since this is a significant behavior change, but one that is more likely to *fix* bugs in dependent programs than to introce them, the version number is now 2.1.0. Fixes waylonflinn#26, waylonflinn#30, and waylonflinn#7. I would like to thank @khrykin, poster of waylonflinn#7, for the idea that maybe the exception handlers inside this plugin should just be completely removed.
zackw · Dec 3, 2022 · 7a11295 · 7a11295
1 parent dd20fa4
commit 7a11295
Show file tree

Hide file tree

Showing 6 changed files with 119 additions and 23 deletions.
diff --git a/README.md b/README.md
@@ -45,9 +45,11 @@ If you're using the default markdown-it parser, I also recommend the [github sty
 <link rel="stylesheet" href="https://cdn.jsdelivr.net/github-markdown-css/2.2.1/github-markdown.css"/>
 ```
 
-`KaTeX` options can be supplied with the second argument to use.
+By default KaTeX is in `throwOnError:false` mode, unlike its upstream
+behavior.  KaTeX options can be supplied with the second argument to `use`.
+
 ```javascript
-md.use(mk, {"throwOnError" : false, "errorColor" : " #cc0000"});
+md.use(mk, {errorColor: "#cc0000"});
 ```
 
 ## Examples
@@ -59,8 +61,8 @@ $\sqrt{3x-1}+(1+x)^2$
 ```
 
 ### Block
-Use two (`$$`) for block rendering. This mode uses bigger symbols and centers
-the result.
+Use two (`$$`) for block rendering. This mode uses bigger symbols and
+centers the result.
 
 ```
 $$\begin{array}{c}
@@ -92,3 +94,21 @@ KaTeX is based on TeX and LaTeX. Support for both is growing. Here's a list of
 currently supported functions:
 
 [Function Support in KaTeX](https://github.com/Khan/KaTeX/wiki/Function-Support-in-KaTeX)
+
+## News
+
+### Version 2.1.0
+
+ * KaTeX dependency updated to 0.16.x — fixes many rendering
+   problems.
+
+ * Behavior change from 2.0.3 and earlier: by default KaTeX is in
+   `throwOnError:false` mode.  This means KaTeX is responsible for the
+   rendering of syntactically invalid math as well as valid math.
+
+   If you set `throwOnError:true`, markdown-it-katex **will not**
+   catch the exception. You are responsible for handling invalid math
+   in this case.
+
+   This change fixes the XSS-with-invalid-math-markup bugs reported
+   against 2.0.3 and earlier.
diff --git a/index.js b/index.js
@@ -155,18 +155,13 @@ function math_block(state, start, end, silent){
 module.exports = function math_plugin(md, options) {
     // Default options
 
-    options = options || {};
+    options = options ?? {};
+    options.throwOnError ??= false;
 
     // set KaTeX as the renderer for markdown-it-simplemath
     var katexInline = function(latex){
         options.displayMode = false;
-        try{
-            return katex.renderToString(latex, options);
-        }
-        catch(error){
-            if(options.throwOnError){ console.log(error); }
-            return latex;
-        }
+        return katex.renderToString(latex, options);
     };
 
     var inlineRenderer = function(tokens, idx){
@@ -175,17 +170,11 @@ module.exports = function math_plugin(md, options) {
 
     var katexBlock = function(latex){
         options.displayMode = true;
-        try{
-            return "<p>" + katex.renderToString(latex, options) + "</p>";
-        }
-        catch(error){
-            if(options.throwOnError){ console.log(error); }
-            return latex;
-        }
+        return "<p>" + katex.renderToString(latex, options) + "</p>";
     }
 
     var blockRenderer = function(tokens, idx){
-        return  katexBlock(tokens[idx].content) + '\n';
+        return katexBlock(tokens[idx].content) + '\n';
     }
 
     md.inline.ruler.after('escape', 'math_inline', math_inline);

diff --git a/package.json b/package.json
@@ -1,11 +1,11 @@
 {
   "name": "markdown-it-katex",
-  "version": "2.0.3",
+  "version": "2.1.0",
   "description": "Fast math support for markdown-it with KaTeX",
   "main": "index.js",
   "scripts": {
     "watch": "watchify browser.js -o bundle.js -v",
-    "test": "node test/all.js"
+    "test": "tape test/*.js"
   },
   "repository": {
     "type": "git",

diff --git a/test/error-recovery.js b/test/error-recovery.js
diff --git a/test/fixtures/default.txt → test/fixtures/rendering.txt b/test/fixtures/default.txt → test/fixtures/rendering.txt
diff --git a/test/all.js → test/rendering.js b/test/all.js → test/rendering.js
@@ -9,7 +9,7 @@ var md = require('markdown-it')()
 /* this uses the markdown-it-testgen module to automatically generate tests
    based on an easy to read text file
  */
-testLoad(path.join(__dirname, 'fixtures/default.txt'), function(data){
+testLoad(path.join(__dirname, 'fixtures/rendering.txt'), function(data){
 	data.fixtures.forEach(function (fixture){
 
 		/* generic test definition code using tape */