safe mode (user input mode) #109
4 participants
Woah. I guess I never thought about it's use for that. I mostly added rule because it lets me make boxes of very specific sizes, but I can see now that it could be a problem. I can't think of any real use for it besides debugging, so would hiding it behind a debugging flag in options somewhere work?
Yeah, it'd make sense to disable it by default.
By the way, I enabled KaTeX on 8chan.co which gets 5000 posts per hour and is a 4chan alternative. You can probably expect more bug reports like this (if you're interested in making KaTeX secure to be enabled in comment sections, that is).
Sounds good.
Woah, awesome! Yep, keep them coming.
Any update on this? Would like to turn off my filter if possible, or if you could let me know how to disable it on my site.
@ctrlcctrlv Would you be able to create a pull request for this?
I actually read the titple “break pages” in terms of pagination for printed media, not in terms of a defective or otherwise unusable web page.
Disabling \rule is just a tiny fix. With commands like \hspace and \kern scheduled for inclusion (#164), one can create excessive amounts of horizontal space, while the \\ for matrices (#246) can accept an optional argument which can be used to create arbitrary amounts of vertical space. \begin{pmatrix}a\\[99999em]\end{pmatrix} could probably cause serious problems for browsers, but we don't want to completely disable custom line skips for {pmatrix}.
- So perhaps we want to hack the dimension lexer, to restrict all dimensions it parses, at least in safe mode. Anything in excess of
5emis probably abusive. - We could also have a look at the vertical extent of the final box, and fail if that exceeds some threshold. Coming up with a reasonable threshold here will be much harder, though, since one might well use
{array}to display large tables or matrices. - We could add a counter to keep track of how many spans we're about to place in the DOM, and impose a limit on that, although without looping constructs I can think of no way to achieve this without excessive amounts of input, unless it's using big delimiters which would make it hit the height limit. But perhaps there is a way I haven't considered yet, or perhaps there will be a way when we add more features.
- Finally, we definitely should have a way to disable
\defand friends once #250 gets resolved.
Should we plan on adding something like safe:true to the options object passed to render? Sould we grant finer control over the various thresholds?
I couldn't get KaTeX to work for me and switched to MathJax due to no safe mode (user input mode). I've given up on it.
kevinbarabash
changed the title from \rule can be abused by users to break pages to safe mode (user input mode)
@ctrlcctrlv I didn't realize that MathJax has a safe mode. We'll want to do something similar eventually I just don't know when that will happen.
Glad to hear @kevinb7 :) I'll keep watching this ticket as I really did like KaTeX when I was using it.
For my site all contributions are anonymous and even abusive networks like Tor are not blocked, so it's really not an option to "just ban the users" because there are no accounts or karma or anything like that. That's why the commenting system has to be at such a high level of security, and especially all user input processors have to be secure.
Even for slower moving boards where it [may] feasibly be enough to just delete posts of users abusing TeX, only certain people would know how to disable JS to actually get to the posts to delete them. It's also like Reddit where "mods" aren't trained...they're just users who made their own community/got assigned by the creator of a community.
I don't know what the policy is about LaTeX content posted to UGC sites, whether or not you're patching bugs that deal with this.
However the following TeX was found by my users and they used it to (temporarily) break my site until I filtered \rule:
I think it should have an upper maximum.