From ff289955e81aab89086eef09254cbf88573d415c Mon Sep 17 00:00:00 2001 From: nsysean <76026698+nsysean@users.noreply.github.com> Date: Sat, 18 Jan 2025 04:24:52 +0800 Subject: [PATCH 1/3] Merge commit from fork * fix: escape \htmlData attribute name * simplify escape lookup, add escape characters * Add escape list source * Fix escape list source * fix: handling invalid HTML attribute names * fix: change comments position * fix: change HTML attribute name validator * Factor out regex * Improve tests to apply to check individual characters * Rename regex --------- Co-authored-by: Erik Demaine --- .eslintrc | 1 + src/domTree.js | 14 ++++++++++++++ test/katex-spec.js | 18 ++++++++++++++++++ 3 files changed, 33 insertions(+) diff --git a/.eslintrc b/.eslintrc index 486a54e5e9..9059e1c860 100644 --- a/.eslintrc +++ b/.eslintrc @@ -39,6 +39,7 @@ "no-array-constructor": 2, "no-console": 2, "no-const-assign": 2, + "no-control-regex": 0, "no-debugger": 2, "no-dupe-class-members": 2, "no-dupe-keys": 2, diff --git a/src/domTree.js b/src/domTree.js index 4ace3d12ce..b931578e25 100644 --- a/src/domTree.js +++ b/src/domTree.js @@ -17,6 +17,7 @@ import {path} from "./svgGeometry"; import type Options from "./Options"; import {DocumentFragment} from "./tree"; import {makeEm} from "./units"; +import ParseError from "./ParseError"; import type {VirtualNode} from "./tree"; @@ -83,6 +84,16 @@ const toNode = function(tagName: string): HTMLElement { return node; }; +/** + * https://w3c.github.io/html-reference/syntax.html#syntax-attributes + * + * > Attribute Names must consist of one or more characters + * other than the space characters, U+0000 NULL, + * '"', "'", ">", "/", "=", the control characters, + * and any characters that are not defined by Unicode. + */ +const invalidAttributeNameRegex = /[\s"'>/=\x00-\x1f]/; + /** * Convert into an HTML markup string */ @@ -110,6 +121,9 @@ const toMarkup = function(tagName: string): string { // Add the attributes for (const attr in this.attributes) { if (this.attributes.hasOwnProperty(attr)) { + if (invalidAttributeNameRegex.test(attr)) { + throw new ParseError(`Invalid attribute name '${attr}'`); + } markup += ` ${attr}="${utils.escape(this.attributes[attr])}"`; } } diff --git a/test/katex-spec.js b/test/katex-spec.js index 70e587f96f..ed4d8f0616 100644 --- a/test/katex-spec.js +++ b/test/katex-spec.js @@ -2158,6 +2158,24 @@ describe("An HTML extension builder", function() { const built = getBuilt(html, trustNonStrictSettings); expect(built).toMatchSnapshot(); }); + + it("should throw Error when HTML attribute name is invalid", function() { + for (const char of [">", " ", "\t", "\n", "\r", "\"", "'", "/"]) { + try { + katex.renderToString( + `\\htmlData{a${char}b=foo}{bar}`, trustNonStrictSettings); + + // Render is expected to throw, so this should not be called. + expect(true).toBe(false); + } catch (error) { + expect(error).toBeInstanceOf(ParseError); + const message = + `Invalid attribute name 'data-a${char.replace(/\s/, ' ')}b'`; + expect(error.message).toBe(`KaTeX parse error: ${message}`); + expect(error.rawMessage).toBe(message); + } + } + }); }); describe("A bin builder", function() { From 57914ad91eff401357f44bf364b136d37eba04f8 Mon Sep 17 00:00:00 2001 From: Erik Demaine Date: Fri, 17 Jan 2025 15:28:17 -0500 Subject: [PATCH 2/3] fix: escape \htmlData attribute name Empty commit to trigger release From 923f2aa15692d06ef77051bfb018c17339ef1ab4 Mon Sep 17 00:00:00 2001 From: KaTeX bot <33710906+KaTeX-bot@users.noreply.github.com> Date: Fri, 17 Jan 2025 20:30:34 +0000 Subject: [PATCH 3/3] chore(release): 0.16.21 [ci skip] ## [0.16.21](https://github.com/KaTeX/KaTeX/compare/v0.16.20...v0.16.21) (2025-01-17) ### Bug Fixes * escape \htmlData attribute name ([57914ad](https://github.com/KaTeX/KaTeX/commit/57914ad91eff401357f44bf364b136d37eba04f8)) --- CHANGELOG.md | 7 +++++++ README.md | 6 +++--- contrib/copy-tex/README.md | 4 ++-- contrib/mathtex-script-type/README.md | 10 +++++----- contrib/mhchem/README.md | 2 +- docs/autorender.md | 16 ++++++++-------- docs/browser.md | 24 ++++++++++++------------ docs/support_table.md | 2 +- docs/supported.md | 2 +- package.json | 2 +- 10 files changed, 41 insertions(+), 34 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0a29ab057a..ef738d0341 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,13 @@ # Changelog All notable changes to this project will be documented in this file. This CHANGELOG roughly follows the guidelines from [www.keepachangelog.com](https://keepachangelog.com/en/1.0.0/). +## [0.16.21](https://github.com/KaTeX/KaTeX/compare/v0.16.20...v0.16.21) (2025-01-17) + + +### Bug Fixes + +* escape \htmlData attribute name ([57914ad](https://github.com/KaTeX/KaTeX/commit/57914ad91eff401357f44bf364b136d37eba04f8)) + ## [0.16.20](https://github.com/KaTeX/KaTeX/compare/v0.16.19...v0.16.20) (2025-01-12) diff --git a/README.md b/README.md index a01ddf914b..09e86f575a 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ Try out KaTeX [on the demo page](https://katex.org/#demo)! - + - + - ... diff --git a/contrib/copy-tex/README.md b/contrib/copy-tex/README.md index ca691d8fcd..614c796f0d 100644 --- a/contrib/copy-tex/README.md +++ b/contrib/copy-tex/README.md @@ -18,7 +18,7 @@ This extension isn't part of KaTeX proper, so the script should be separately included in the page. ```html - + ``` (Note that, as of KaTeX 0.16.0, there is no longer a corresponding CSS file.) @@ -35,5 +35,5 @@ statement with `require('katex/contrib/copy-tex/katex2tex.js')`. ECMAScript module is also available: ```html - + ``` diff --git a/contrib/mathtex-script-type/README.md b/contrib/mathtex-script-type/README.md index 01c51f14d7..39b6dfc064 100644 --- a/contrib/mathtex-script-type/README.md +++ b/contrib/mathtex-script-type/README.md @@ -11,7 +11,7 @@ included in the page, in addition to KaTeX. Load the extension by adding the following line to your HTML file. ```html - + ``` You can download the script and use it locally, or from a local KaTeX installation instead. @@ -23,9 +23,9 @@ Then, in the body, we use a `math/tex` script to typeset the equation `x+\sqrt{1 - - - + + + @@ -35,4 +35,4 @@ Then, in the body, we use a `math/tex` script to typeset the equation `x+\sqrt{1 ECMAScript module is also available: ```html - + diff --git a/contrib/mhchem/README.md b/contrib/mhchem/README.md index 00c150e76d..515e5ce7e9 100644 --- a/contrib/mhchem/README.md +++ b/contrib/mhchem/README.md @@ -7,7 +7,7 @@ This extension adds to KaTeX the `\ce` and `\pu` functions from the [mhchem](htt This extension isn't part of core KaTeX, so the script should be separately included. Write the following line into the HTML page's ``. Place it *after* the line that calls `katex.js`, and if you make use of the [auto-render](https://katex.org/docs/autorender.html) extension, place it *before* the line that calls `auto-render.js`. ```html - + ``` If you remove the `defer` attribute from this tag, then you must also remove the `defer` attribute from the ` - + ``` @@ -31,9 +31,9 @@ want to use a `defer` or `onload` attribute. For example: ```html - - - + + + ``` diff --git a/docs/browser.md b/docs/browser.md index b128b3b661..2c300969d7 100644 --- a/docs/browser.md +++ b/docs/browser.md @@ -11,13 +11,13 @@ title: Browser - + - + - ... @@ -29,15 +29,15 @@ If you include the `katex.js` directly, the `katex` object will be available as a global variable. ```html - - + + ``` KaTeX also provides minified versions: ```html - - + + ``` The examples above load the script [deferred using the `defer` attribute](https://developer.mozilla.org/en/HTML/Element/script#Attributes) @@ -81,22 +81,22 @@ for more detail. ```html - + ``` ### ECMAScript module ```html - - + + ``` > Use [`nomodule` attribute](https://developer.mozilla.org/en/HTML/Element/script#Attributes) diff --git a/docs/support_table.md b/docs/support_table.md index 7e0378d7aa..0951b3cdae 100644 --- a/docs/support_table.md +++ b/docs/support_table.md @@ -6,7 +6,7 @@ This is a list of TeX functions, sorted alphabetically. This list includes funct If you know the shape of a character, but not its name, [Detexify](https://detexify.kirelabs.org/classify.html) can help. - +