HTML inside math #3022
Replies: 2 comments
-
|
Here is one approach to allow you to do what you ask: <!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<title>Isolate html-in-tex</title>
<script>
MathJax = {
loader: {load: ['[tex]/texhtml']},
tex: {
packages: {'[+]': ['texhtml']},
allowTexHTML: true,
preFilters: [
({math, data}) => {
data.options.allowTexHTML =
!math.start.node?.parentNode.closest('[data-allow-tex-html="false"]');
}
]
},
};
</script>
<script src="https://cdn.jsdelivr.net/npm/mathjax@4/tex-chtml.js"></script>
</head>
<body>
<div>
$$x = <tex-html><input type="text" size="10"/></tex-html>$$
</div>
<div data-allow-tex-html="false">
$$x = <tex-html><input type="text" size="10"/></tex-html>$$
</div>
</body>
</html>It creates a TeX input jax pre-filter that checks of the math being processed lies inside a container element with Conversely, if you want a white-list approach, change the check to look for <!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<title>Isolate html-in-tex</title>
<script>
MathJax = {
loader: {load: ['[tex]/texhtml']},
tex: {
packages: {'[+]': ['texhtml']},
allowTexHTML: true,
preFilters: [
({math, data}) => {
data.options.allowTexHTML =
!!math.start.node?.parentNode.closest('[data-allow-tex-html="true"]');
}
]
},
};
</script>
<script src="https://cdn.jsdelivr.net/npm/mathjax@4/tex-chtml.js"></script>
</head>
<body>
<div data-allow-tex-html="true">
$$x = <tex-html><input type="text" size="10"/></tex-html>$$
</div>
<div>
$$x = <tex-html><input type="text" size="10"/></tex-html>$$
</div>
</body>
</html> |
Beta Was this translation helpful? Give feedback.
-
|
The simple answer for the cases where students or instructors can create math via essay answers or instructor comments is that even if you set So there is no real need for this precaution. Note that problem authors are an entirely different story, and they can inject html include javascript and css. At this point, we do not consider this a security vulnerability. It is highly doubtful that a data attribute would actually add any real security on this. If html were not escaped, then the user could just add that data attribute to the html that they inject. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
I'd like to explore using the MathJax 4 feature that allows HTML inside math. The goal would be to have answer input fields inside a math expression, like lower and upper limits on a summation, etc. I'm sure there will be many things to think about with this, especially with MathQuill active on answer input fields like this. However, before thinking too hard, I want to ask about the security issue. In a WeBWorK setting, most of the time, the users don't create math to be rendered. But there are at least two settings where they do. One is students writing responses to essay questions. Another is faculty writing comments to students. In each case, the user can type things like
\( ... \)for the math to render later when the (respective) instructor or student reads it. (A third place is an instructor authoring a problem, but I'm not worried about that case.)So I have a question for @dpvc. Is it currently the case that the
allowTexHTMLconfiguration in MathJax can be used in such a way where it is most of the timetrue, but configured to befalsein specific places? Namely, within thedivsthat render user-defined math? Or conversely, onlytruewithin the rendering of a PG problem? Or, can two MathJax configurations exist at the same time on a page, and be used selectively by different page elements?Beta Was this translation helpful? Give feedback.
All reactions