Nexus IQ vurnability flag

[AsymptoticBrain]

When scanning my dependencies Nexus IQ flags scipy for CVE-2018-1999024, a vurnability related to mathjax versions prior to 2.7.4. I can't seem to find any information what version scipy is running at all or if it's flagging in error.

MathJax version prior to version 2.7.4 contains a Cross Site Scripting (XSS) vulnerability in the \unicode{} macro that can result in Potentially untrusted Javascript running within a web browser. This attack appear to be exploitable via The victim must view a page where untrusted content is processed using Mathjax. This vulnerability appears to have been fixed in 2.7.4 and later.

[ilayn]

@AsymptoticBrain Thanks for the issue. First thing first, please and I am begging you, don't report security vulnerabilities publicly. Like EVER

Regarding the mathjax, this relates to which sphinx version you want to use to build your documentation.

[pv]

Scipy HTML docs bundle mathjax (for offline use). The version used is here: https://github.com/scipy/scipy-mathjax --- it's mathjax 2.7.1 and maybe could be upgraded. However, I don't think it's vulnerable to XSS here, because the Scipy doc pages contain solely static content and there is no user-provided untrusted content.