Allow svg paths for rendered math

mjbvz · mjbvz · commit 1cd8ad3264bd · 2025-08-11T16:34:05.000-07:00
Fixes microsoft#259148
diff --git a/src/vs/base/browser/markdownRenderer.ts b/src/vs/base/browser/markdownRenderer.ts
@@ -56,6 +56,9 @@ export interface MarkdownSanitizerConfig {
 	readonly allowedTags?: {
 		readonly override: readonly string[];
 	};
+	readonly allowedAttributes?: {
+		readonly override: readonly string[];
+	};
 	readonly customAttrSanitizer?: (attrName: string, attrValue: string) => boolean | string;
 	readonly allowedLinkSchemes?: {
 		readonly augment: readonly string[];
@@ -510,7 +513,7 @@ function getDomSanitizerConfig(isTrusted: boolean | MarkdownStringTrustedOptions
 			override: options.allowedTags?.override ?? allowedMarkdownHtmlTags
 		},
 		allowedAttributes: {
-			override: allowedMarkdownHtmlAttributes,
+			override: options.allowedAttributes?.override ?? allowedMarkdownHtmlAttributes,
 		},
 		allowedLinkProtocols: {
 			override: allowedLinkSchemes,
diff --git a/src/vs/workbench/contrib/markdown/browser/markedKatexSupport.ts b/src/vs/workbench/contrib/markdown/browser/markedKatexSupport.ts
@@ -22,14 +22,27 @@ export class MarkedKatexSupport {
 					...trustedMathMlTags,
 				]
 			},
+			allowedAttributes: {
+				override: [
+					...baseConfig.allowedAttributes,
+					// Math
+					'stretchy',
+					'encoding',
+					'accent',
+					// SVG
+					'd',
+					'viewBox',
+					'preserveAspectRatio',
+				]
+			},
 			customAttrSanitizer: (attrName, attrValue) => {
 				if (attrName === 'class') {
 					return true; // TODO: allows all classes for now since we don't have a list of possible katex classes
 				} else if (attrName === 'style') {
 					return this.sanitizeKatexStyles(attrValue);
 				}
 
-				return baseConfig.allowedAttributes.includes(attrName);
+				return true; // Allow through other attrs. Our allow list already filtered out bad ones
 			},
 		};
 	}
