Handling dependencies properly #21
Comments
|
Apart from loss of availability, do you see any other security issue occurring? Specifically, do you see a possible loss of confidentiality or loss of integrity? If so, would you please spell out the details of how such a security issue might be exploited? Note: If you do not trust a specific CDN with availability, you can change the CDN URLs via configuration options. TeXMe does not depend on any specific CDN and TeXMe itself is distributed via multiple CDNs. |
|
@susam Another issue I found meanwhile that you override window.onload by renderOnLoad=true instead of registering an event listener with addEventListener. This can easily interfere with other js code running on a site. It would be better to solve just a single thing instead of trying to write a module loader and deciding what the webpage does on load. An example should look something like this without a module bundler like webpack, though I have no idea how to load these dependencies properly: <!DOCTYPE html>
<html lang="en">
<title>Notes on Euler's Identity</title>
<script src="https://cdn.jsdelivr.net/npm/commonmark@0.29.2"></script>
<script src="https://cdn.jsdelivr.net/npm/mathjax@3"></script>
<script src="https://cdn.jsdelivr.net/npm/texme@0.9.0"></script>
<script>
window.onload = function () {
texme.renderPage({
commonmark: commonmarkInstance,
mathjax: mathjaxInstance
});
}
</script>
<textarea>
# Euler's Identity
In mathematics, **Euler's identity** is the equality
$$ e^{i \pi} + 1 = 0. $$
## Explanation
Euler's identity is a special case of Euler's formula from complex
analysis, which states that for any real number $ x $,
$$ e^{ix} = \cos x + i \sin x. $$
</textarea> |
Please provide specific examples. What exactly is a security issue? How does a user get compromised?
I am not making any decision for you. This is a free and open source project. It is provided "as is", without warranty of any kind, express or implied. You are free to use this project as-is or fork it and modify it to suit your needs. See LICENSE.md for more details.
Your webpages can load the dependencies from any CDN URL or even your own web server. The CDN URLs are configurable. See configuration options
When this package is used in an NPM-based project as a library, that is, as an NPM dependency, no resource from any external CDN is pulled in. When the caller calls When you use TeXMe in a web page, yes, it pulls in dependencies from CDN. That is because TeXMe caters to users who want to write standalone self-rendering HTML pages with minimal markup. The code example you have provided in your comment is not a problem TeXMe is trying to solve.
This is true only for the primary and intended usage of TeXMe, that is, self-rendering documents written as per the Get Started guide. For other use cases where someone is loading TeXMe in their page which contains other JavaScript code that TeXMe might conflict with, skip automatic rendering on load with
Since TeXMe was created to offer a way of writing standalone HTML files with Markdown + LaTeX + minimal HTML markup that starts rendering itself as soon as it loads, TeXMe must decide what the web page does on load. |
The project pulls in js files from https://cdn.jsdelivr.net/npm/ instead of using a local copy, so if that cdn is down e.g. because of a ddos attack, then the markdown won't work or the page will wait a lot for that js file. I would rather consider a module bundler like webpack or browserify or add the extra dependencies as script tags and check their existence instead of trying to reinventing the wheel and injecting them with your code. This is not just a little inconvenience, but a security issue.
The text was updated successfully, but these errors were encountered: