Fix xss

Author: dark-flames

package.json

@@ -25,12 +25,11 @@
     "axios": "^0.18.0",
     "codemirror": "^5.39.0",
     "global": "^4.3.2",
-    "katex": "^0.9.0",
+    "katex": "^0.11.1",
     "lodash": "4.17.10",
     "markdown-it": "^8.4.2",
     "markdown-it-v": "^1.2.1",
     "markdown-it-v-codemirror-highlighter": "1.0.0",
-    "markdown-it-v-katex": "^1.0.0-alpha.1",
     "vue": "^2.5.11"
   },
   "devDependencies": {

src/FixedMarkdownItVKatex.js

@@ -2,6 +2,7 @@
 /*
 Like markdown-it-simplemath, this is a stripped down, simplified version of:
 https://github.com/runarberg/markdown-it-math
+
 It differs in that it takes (a subset of) LaTeX as input and relies on KaTeX
 for rendering output.
 */
@@ -133,11 +134,22 @@ function math_block(state, start, end, silent){
     return true;
 }
 
-module.exports = function math_plugin(md, options) {
+export default function math_plugin(md, options) {
     // Default options
 
     options = options || {};
 
+    var escapeHtml = function(html) {
+        var tagsToReplace = {
+            '&': '&',
+            '<': '&lt;',
+            '>': '&gt;'
+        };
+        return html.replace(/[&<>]/g, function(tag) {
+            return tagsToReplace[tag] || tag;
+        });
+    };
+
     // set KaTeX as the renderer for markdown-it-simplemath
     var katexInline = function(latex){
         options.displayMode = false;
@@ -146,12 +158,13 @@ module.exports = function math_plugin(md, options) {
         }
         catch(error){
             if(options.throwOnError){ console.log(error); }
-            return latex;
+            return escapeHtml(latex);
         }
     };
 
     var inlineRenderer = function(tokens, idx, options, env, { sDom }){
-        const html = katexInline(tokens[idx].content);
+        var html = katexInline(tokens[idx].content)
+
         sDom.openTag('span', { __html: html })
         sDom.closeTag()
         return sDom
@@ -164,12 +177,12 @@ module.exports = function math_plugin(md, options) {
         }
         catch(error){
             if(options.throwOnError){ console.log(error); }
-            return latex;
+            return escapeHtml(latex);
         }
     }
 
     var blockRenderer = function(tokens, idx, options, env, { sDom }){
-        const html = katexBlock(tokens[idx].content);
+        var html = katexBlock(tokens[idx].content);
         sDom.openTag('p', { __html: html })
         sDom.closeTag()
         sDom.appendText('\n')

yarn.lock

@@ -2448,6 +2448,11 @@ commander@^2.18.0:
   resolved "https://registry.yarnpkg.com/commander/-/commander-2.19.0.tgz#f6198aa84e5b83c46054b94ddedbfed5ee9ff12a"
   integrity sha512-6tvAOO+D6OENvRAh524Dh9jcfKTYDQAqvqezbCW82xj5X0pSrcpxtvRKHLG0yBY6SD7PSDrJaj+0AiOcKVd1Xg==
 
+commander@^2.19.0:
+  version "2.20.3"
+  resolved "https://registry.yarnpkg.com/commander/-/commander-2.20.3.tgz#fd485e84c03eb4881c20722ba48035e8531aeb33"
+  integrity sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ==
+
 commander@~2.17.1:
   version "2.17.1"
   resolved "https://registry.yarnpkg.com/commander/-/commander-2.17.1.tgz#bd77ab7de6de94205ceacc72f1716d29f20a77bf"
@@ -5012,11 +5017,12 @@ jsprim@^1.2.2:
     json-schema "0.2.3"
     verror "1.10.0"
 
-katex@^0.9.0:
-  version "0.9.0"
-  resolved "https://registry.yarnpkg.com/katex/-/katex-0.9.0.tgz#26a7d082c21d53725422d2d71da9b2d8455fbd4a"
+katex@^0.11.1:
+  version "0.11.1"
+  resolved "https://registry.yarnpkg.com/katex/-/katex-0.11.1.tgz#df30ca40c565c9df01a466a00d53e079e84ffaa2"
+  integrity sha512-5oANDICCTX0NqYIyAiFCCwjQ7ERu3DQG2JFHLbYOf+fXaMoH8eg/zOq5WSYJsKMi/QebW+Eh3gSM+oss1H/bww==
   dependencies:
-    match-at "^0.1.1"
+    commander "^2.19.0"
 
 killable@^1.0.0:
   version "1.0.0"
@@ -5265,13 +5271,6 @@ [email protected]:
   dependencies:
     codemirror "^5.39.0"
 
-markdown-it-v-katex@^1.0.0-alpha.1:
-  version "1.0.0-alpha.1"
-  resolved "http://registry.npm.taobao.org/markdown-it-v-katex/download/markdown-it-v-katex-1.0.0-alpha.1.tgz#b85a2848a46ed7f2eecd124352fb812f853381a2"
-  integrity sha1-uFooSKRu1/LuzRJDUvuBL4UzgaI=
-  dependencies:
-    katex "^0.9.0"
-
 markdown-it-v@^1.2.1:
   version "1.2.1"
   resolved "http://registry.npm.taobao.org/markdown-it-v/download/markdown-it-v-1.2.1.tgz#2226f496654e145f5dc310f4bf98795444466f9d"
@@ -5290,10 +5289,6 @@ markdown-it@^8.4.2:
     mdurl "^1.0.1"
     uc.micro "^1.0.5"
 
-match-at@^0.1.1:
-  version "0.1.1"
-  resolved "https://registry.yarnpkg.com/match-at/-/match-at-0.1.1.tgz#25d040d291777704d5e6556bbb79230ec2de0540"
-
 md5.js@^1.3.4:
   version "1.3.4"
   resolved "https://registry.yarnpkg.com/md5.js/-/md5.js-1.3.4.tgz#e9bdbde94a20a5ac18b04340fc5764d5b09d901d"