From a61128e5e2c35f2317f849ab7a63b3691f973cc6 Mon Sep 17 00:00:00 2001 From: Mac Lockard Date: Fri, 1 Oct 2021 11:12:17 -0700 Subject: [PATCH 1/5] Mention how to configure rehype-sanitize in README --- readme.md | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/readme.md b/readme.md index 8238d86..eea3293 100644 --- a/readme.md +++ b/readme.md @@ -99,6 +99,38 @@ so any vulnerability in KaTeX can open you to a Always be wary of user input and use [`rehype-sanitize`][rehype-sanitize]. +If you are using [`rehype-sanitize`][rehype-sanitize], but fully trust that +[KaTeX][] doesn't have any XSS vulnerabilities, you can allow list the required +class names by extending the sanitize schema like so: + +```js +const mathSanitizeSchema = { + ...defaultSchema, + attributes: { + ...defaultSchema.attributes, + div: [ + ...defaultSchema.attributes.div, + ["className", "math", "math-display"], + ], + span: [ + ["className", "math", "math-inline"], + ], + }, +}; +``` + +And applying the `rehype-katex` plugin _after_ the [`rehype-sanitize`][rehype-sanitize] one like so: + +```js +[ + rehypeRaw, + ... + [rehypeSanitize, mathSanitizeSchema], + rehypeKatex, + ... +] +``` + ## Related * [`remark-breaks`](https://github.com/remarkjs/remark-breaks) From d1c0863e9fca5c5bd3a45503138e7d428d17404f Mon Sep 17 00:00:00 2001 From: Mac Lockard Date: Fri, 1 Oct 2021 11:15:16 -0700 Subject: [PATCH 2/5] update --- readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/readme.md b/readme.md index eea3293..9016098 100644 --- a/readme.md +++ b/readme.md @@ -101,7 +101,7 @@ Always be wary of user input and use [`rehype-sanitize`][rehype-sanitize]. If you are using [`rehype-sanitize`][rehype-sanitize], but fully trust that [KaTeX][] doesn't have any XSS vulnerabilities, you can allow list the required -class names by extending the sanitize schema like so: +class names added by `remark-math` by extending the sanitize schema like so: ```js const mathSanitizeSchema = { From 882106678a02374b859d34684d10fc8f8646e7e8 Mon Sep 17 00:00:00 2001 From: Mac Lockard Date: Fri, 1 Oct 2021 11:54:49 -0700 Subject: [PATCH 3/5] Apply suggestions from code review Co-authored-by: Titus --- readme.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/readme.md b/readme.md index 9016098..435d940 100644 --- a/readme.md +++ b/readme.md @@ -100,7 +100,7 @@ so any vulnerability in KaTeX can open you to a Always be wary of user input and use [`rehype-sanitize`][rehype-sanitize]. If you are using [`rehype-sanitize`][rehype-sanitize], but fully trust that -[KaTeX][] doesn't have any XSS vulnerabilities, you can allow list the required +[KaTeX][] doesn’t have any XSS vulnerabilities, you can allow list the required class names added by `remark-math` by extending the sanitize schema like so: ```js @@ -119,7 +119,7 @@ const mathSanitizeSchema = { }; ``` -And applying the `rehype-katex` plugin _after_ the [`rehype-sanitize`][rehype-sanitize] one like so: +And applying the `rehype-katex` plugin *after* the [`rehype-sanitize`][rehype-sanitize] one like so: ```js [ From af6ac1b25b683a69d87edc08aa3095e3d001509b Mon Sep 17 00:00:00 2001 From: Mac Lockard Date: Fri, 1 Oct 2021 12:03:40 -0700 Subject: [PATCH 4/5] run format --- readme.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/readme.md b/readme.md index 435d940..de5e8dd 100644 --- a/readme.md +++ b/readme.md @@ -119,7 +119,8 @@ const mathSanitizeSchema = { }; ``` -And applying the `rehype-katex` plugin *after* the [`rehype-sanitize`][rehype-sanitize] one like so: +And applying the `rehype-katex` plugin *after* the +[`rehype-sanitize`][rehype-sanitize] plugin like so: ```js [ From 72185a94f32c93af24f24639a41489e869a572a7 Mon Sep 17 00:00:00 2001 From: Mac Lockard Date: Fri, 8 Oct 2021 11:21:30 -0700 Subject: [PATCH 5/5] Apply suggestions from code review Co-authored-by: Titus --- readme.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/readme.md b/readme.md index de5e8dd..0cacf69 100644 --- a/readme.md +++ b/readme.md @@ -99,9 +99,9 @@ so any vulnerability in KaTeX can open you to a Always be wary of user input and use [`rehype-sanitize`][rehype-sanitize]. -If you are using [`rehype-sanitize`][rehype-sanitize], but fully trust that -[KaTeX][] doesn’t have any XSS vulnerabilities, you can allow list the required -class names added by `remark-math` by extending the sanitize schema like so: +If you are using [`rehype-sanitize`][rehype-sanitize] and trust [KaTeX][], you +can allow the classes added by `remark-math` by extending the default schema +like so: ```js const mathSanitizeSchema = { @@ -110,13 +110,13 @@ const mathSanitizeSchema = { ...defaultSchema.attributes, div: [ ...defaultSchema.attributes.div, - ["className", "math", "math-display"], + ['className', 'math', 'math-display'] ], span: [ - ["className", "math", "math-inline"], - ], - }, -}; + ['className', 'math', 'math-inline'] + ] + } +} ``` And applying the `rehype-katex` plugin *after* the @@ -125,10 +125,10 @@ And applying the `rehype-katex` plugin *after* the ```js [ rehypeRaw, - ... + // … [rehypeSanitize, mathSanitizeSchema], - rehypeKatex, - ... + rehypeKatex + // … ] ```