katex 0.16.9 → 0.16.10

package/dist/katex.mjs

@@ -254,12 +254,34 @@ var assert = function assert(value) {
 };
 /**
  * Return the protocol of a URL, or "_relative" if the URL does not specify a
- * protocol (and thus is relative).
+ * protocol (and thus is relative), or `null` if URL has invalid protocol
+ * (so should be outright rejected).
  */
 
 var protocolFromUrl = function protocolFromUrl(url) {
-  var protocol = /^\s*([^\\/#]*?)(?::|&#0*58|&#x0*3a)/i.exec(url);
-  return protocol != null ? protocol[1] : "_relative";
+  // Check for possible leading protocol.
+  // https://url.spec.whatwg.org/#url-parsing strips leading whitespace
+  // (U+20) or C0 control (U+00-U+1F) characters.
+  // eslint-disable-next-line no-control-regex
+  var protocol = /^[\x00-\x20]*([^\\/#?]*?)(:|&#0*58|&#x0*3a|&colon)/i.exec(url);
+
+  if (!protocol) {
+    return "_relative";
+  } // Reject weird colons
+
+
+  if (protocol[2] !== ":") {
+    return null;
+  } // Reject invalid characters in scheme according to
+  // https://datatracker.ietf.org/doc/html/rfc3986#section-3.1
+
+
+  if (!/^[a-zA-Z][a-zA-Z0-9+\-.]*$/.test(protocol[1])) {
+    return null;
+  } // Lowercase the protocol
+
+
+  return protocol[1].toLowerCase();
 };
 var utils = {
   contains,
@@ -509,7 +531,13 @@ class Settings {
 
   isTrusted(context) {
     if (context.url && !context.protocol) {
-      context.protocol = utils.protocolFromUrl(context.url);
+      var protocol = utils.protocolFromUrl(context.url);
+
+      if (protocol == null) {
+        return false;
+      }
+
+      context.protocol = protocol;
     }
 
     var trust = typeof this.trust === "function" ? this.trust(context) : this.trust;
@@ -4083,7 +4111,7 @@ class Img {
   }
 
   toMarkup() {
-    var markup = "<img  src='" + this.src + " 'alt='" + this.alt + "' "; // Add the styles, after hyphenation
+    var markup = "<img src=\"" + utils.escape(this.src) + "\"" + (" alt=\"" + utils.escape(this.alt) + "\""); // Add the styles, after hyphenation
 
     var styles = "";
 
@@ -4274,7 +4302,7 @@ class SvgNode {
 
     for (var attr in this.attributes) {
       if (Object.prototype.hasOwnProperty.call(this.attributes, attr)) {
-        markup += " " + attr + "='" + this.attributes[attr] + "'";
+        markup += " " + attr + "=\"" + utils.escape(this.attributes[attr]) + "\"";
       }
     }
 
@@ -4312,9 +4340,9 @@ class PathNode {
 
   toMarkup() {
     if (this.alternate) {
-      return "<path d='" + this.alternate + "'/>";
+      return "<path d=\"" + utils.escape(this.alternate) + "\"/>";
     } else {
-      return "<path d='" + path[this.pathName] + "'/>";
+      return "<path d=\"" + utils.escape(path[this.pathName]) + "\"/>";
     }
   }
 
@@ -4343,7 +4371,7 @@ class LineNode {
 
     for (var attr in this.attributes) {
       if (Object.prototype.hasOwnProperty.call(this.attributes, attr)) {
-        markup += " " + attr + "='" + this.attributes[attr] + "'";
+        markup += " " + attr + "=\"" + utils.escape(this.attributes[attr]) + "\"";
       }
     }
 
@@ -4545,7 +4573,7 @@ defineSymbol(math, main, rel, "\u21c1", "\\rightharpoondown", true);
 defineSymbol(math, main, rel, "\u2196", "\\nwarrow", true);
 defineSymbol(math, main, rel, "\u21cc", "\\rightleftharpoons", true); // AMS Negated Binary Relations
 
-defineSymbol(math, ams, rel, "\u226e", "\\nless", true); // Symbol names preceeded by "@" each have a corresponding macro.
+defineSymbol(math, ams, rel, "\u226e", "\\nless", true); // Symbol names preceded by "@" each have a corresponding macro.
 
 defineSymbol(math, ams, rel, "\ue010", "\\@nleqslant");
 defineSymbol(math, ams, rel, "\ue011", "\\@nleqq");
@@ -16334,6 +16362,19 @@ class MacroExpander {
 
     return args;
   }
+  /**
+   * Increment `expansionCount` by the specified amount.
+   * Throw an error if it exceeds `maxExpand`.
+   */
+
+
+  countExpansion(amount) {
+    this.expansionCount += amount;
+
+    if (this.expansionCount > this.settings.maxExpand) {
+      throw new ParseError("Too many expansions: infinite loop or " + "need to increase maxExpand setting");
+    }
+  }
   /**
    * Expand the next token only once if possible.
    *
@@ -16369,12 +16410,7 @@ class MacroExpander {
       return false;
     }
 
-    this.expansionCount++;
-
-    if (this.expansionCount > this.settings.maxExpand) {
-      throw new ParseError("Too many expansions: infinite loop or " + "need to increase maxExpand setting");
-    }
-
+    this.countExpansion(1);
     var tokens = expansion.tokens;
     var args = this.consumeArgs(expansion.numArgs, expansion.delimiters);
 
@@ -16480,8 +16516,11 @@ class MacroExpander {
 
         output.push(token);
       }
-    }
+    } // Count all of these tokens as additional expansions, to prevent
+    // exponential blowup from linearly many \edef's.
+
 
+    this.countExpansion(output.length);
     return output;
   }
   /**
@@ -17489,8 +17528,9 @@ class Parser {
         // We treat these similarly to the unicode-math package.
         // So we render a string of Unicode (sub|super)scripts the
         // same as a (sub|super)script of regular characters.
-        var str = uSubsAndSups[lex.text];
         var isSub = unicodeSubRegEx.test(lex.text);
+        var subsupTokens = [];
+        subsupTokens.push(new Token(uSubsAndSups[lex.text]));
         this.consume(); // Continue fetching tokens to fill out the string.
 
         while (true) {
@@ -17504,12 +17544,12 @@ class Parser {
             break;
           }
 
+          subsupTokens.unshift(new Token(uSubsAndSups[token]));
           this.consume();
-          str += uSubsAndSups[token];
         } // Now create a (sub|super)script.
 
 
-        var body = new Parser(str, this.settings).parse();
+        var body = this.subparse(subsupTokens);
 
         if (isSub) {
           subscript = {
@@ -18319,7 +18359,7 @@ var katex = {
   /**
    * Current KaTeX version
    */
-  version: "0.16.9",
+  version: "0.16.10",
 
   /**
    * Renders the given LaTeX into an HTML+MathML combination, and adds

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "katex",
-  "version": "0.16.9",
+  "version": "0.16.10",
   "description": "Fast math typesetting for the web.",
   "main": "dist/katex.js",
   "exports": {
@@ -47,7 +47,7 @@
     "dist/"
   ],
   "license": "MIT",
-  "packageManager": "yarn@3.2.2",
+  "packageManager": "yarn@4.1.1",
   "devDependencies": {
     "@babel/core": "^7.18.13",
     "@babel/eslint-parser": "^7.18.9",

package/src/MacroExpander.js

@@ -245,6 +245,18 @@ export default class MacroExpander implements MacroContextInterface {
         return args;
     }
 
+    /**
+     * Increment `expansionCount` by the specified amount.
+     * Throw an error if it exceeds `maxExpand`.
+     */
+    countExpansion(amount: number): void {
+        this.expansionCount += amount;
+        if (this.expansionCount > this.settings.maxExpand) {
+            throw new ParseError("Too many expansions: infinite loop or " +
+                "need to increase maxExpand setting");
+        }
+    }
+
     /**
      * Expand the next token only once if possible.
      *
@@ -276,11 +288,7 @@ export default class MacroExpander implements MacroContextInterface {
             this.pushToken(topToken);
             return false;
         }
-        this.expansionCount++;
-        if (this.expansionCount > this.settings.maxExpand) {
-            throw new ParseError("Too many expansions: infinite loop or " +
-                "need to increase maxExpand setting");
-        }
+        this.countExpansion(1);
         let tokens = expansion.tokens;
         const args = this.consumeArgs(expansion.numArgs, expansion.delimiters);
         if (expansion.numArgs) {
@@ -375,6 +383,9 @@ export default class MacroExpander implements MacroContextInterface {
                 output.push(token);
             }
         }
+        // Count all of these tokens as additional expansions, to prevent
+        // exponential blowup from linearly many \edef's.
+        this.countExpansion(output.length);
         return output;
     }
 

package/src/Parser.js

@@ -405,19 +405,20 @@ export default class Parser {
                 // We treat these similarly to the unicode-math package.
                 // So we render a string of Unicode (sub|super)scripts the
                 // same as a (sub|super)script of regular characters.
-                let str = uSubsAndSups[lex.text];
                 const isSub = unicodeSubRegEx.test(lex.text);
+                const subsupTokens = [];
+                subsupTokens.push(new Token(uSubsAndSups[lex.text]));
                 this.consume();
                 // Continue fetching tokens to fill out the string.
                 while (true) {
                     const token = this.fetch().text;
                     if (!(uSubsAndSups[token])) { break; }
                     if (unicodeSubRegEx.test(token) !== isSub) { break; }
+                    subsupTokens.unshift(new Token(uSubsAndSups[token]));
                     this.consume();
-                    str += uSubsAndSups[token];
                 }
                 // Now create a (sub|super)script.
-                const body = (new Parser(str, this.settings)).parse();
+                const body = this.subparse(subsupTokens);
                 if (isSub) {
                     subscript = {type: "ordgroup", mode: "math", body};
                 } else {

package/src/Settings.js

@@ -346,7 +346,11 @@ export default class Settings {
      */
     isTrusted(context: AnyTrustContext): boolean {
         if (context.url && !context.protocol) {
-            context.protocol = utils.protocolFromUrl(context.url);
+            const protocol = utils.protocolFromUrl(context.url);
+            if (protocol == null) {
+                return false;
+            }
+            context.protocol = protocol;
         }
         const trust = typeof this.trust === "function"
             ? this.trust(context)

package/src/domTree.js

@@ -315,7 +315,8 @@ export class Img implements VirtualNode {
     }
 
     toMarkup(): string {
-        let markup = `<img  src='${this.src} 'alt='${this.alt}' `;
+        let markup = `<img src="${utils.escape(this.src)}"` +
+          ` alt="${utils.escape(this.alt)}"`;
 
         // Add the styles, after hyphenation
         let styles = "";
@@ -512,7 +513,7 @@ export class SvgNode implements VirtualNode {
         // Apply attributes
         for (const attr in this.attributes) {
             if (Object.prototype.hasOwnProperty.call(this.attributes, attr)) {
-                markup += ` ${attr}='${this.attributes[attr]}'`;
+                markup += ` ${attr}="${utils.escape(this.attributes[attr])}"`;
             }
         }
 
@@ -553,9 +554,9 @@ export class PathNode implements VirtualNode {
 
     toMarkup(): string {
         if (this.alternate) {
-            return `<path d='${this.alternate}'/>`;
+            return `<path d="${utils.escape(this.alternate)}"/>`;
         } else {
-            return `<path d='${path[this.pathName]}'/>`;
+            return `<path d="${utils.escape(path[this.pathName])}"/>`;
         }
     }
 }
@@ -586,7 +587,7 @@ export class LineNode implements VirtualNode {
 
         for (const attr in this.attributes) {
             if (Object.prototype.hasOwnProperty.call(this.attributes, attr)) {
-                markup += ` ${attr}='${this.attributes[attr]}'`;
+                markup += ` ${attr}="${utils.escape(this.attributes[attr])}"`;
             }
         }
 

package/src/symbols.js

@@ -204,7 +204,7 @@ defineSymbol(math, main, rel, "\u21cc", "\\rightleftharpoons", true);
 
 // AMS Negated Binary Relations
 defineSymbol(math, ams, rel, "\u226e", "\\nless", true);
-// Symbol names preceeded by "@" each have a corresponding macro.
+// Symbol names preceded by "@" each have a corresponding macro.
 defineSymbol(math, ams, rel, "\ue010", "\\@nleqslant");
 defineSymbol(math, ams, rel, "\ue011", "\\@nleqq");
 defineSymbol(math, ams, rel, "\u2a87", "\\lneq", true);

package/src/utils.js

@@ -93,11 +93,30 @@ export const assert = function<T>(value: ?T): T {
 
 /**
  * Return the protocol of a URL, or "_relative" if the URL does not specify a
- * protocol (and thus is relative).
+ * protocol (and thus is relative), or `null` if URL has invalid protocol
+ * (so should be outright rejected).
  */
-export const protocolFromUrl = function(url: string): string {
-    const protocol = /^\s*([^\\/#]*?)(?::|&#0*58|&#x0*3a)/i.exec(url);
-    return (protocol != null ? protocol[1] : "_relative");
+export const protocolFromUrl = function(url: string): string | null {
+    // Check for possible leading protocol.
+    // https://url.spec.whatwg.org/#url-parsing strips leading whitespace
+    // (U+20) or C0 control (U+00-U+1F) characters.
+    // eslint-disable-next-line no-control-regex
+    const protocol = /^[\x00-\x20]*([^\\/#?]*?)(:|&#0*58|&#x0*3a|&colon)/i
+    .exec(url);
+    if (!protocol) {
+        return "_relative";
+    }
+    // Reject weird colons
+    if (protocol[2] !== ":") {
+        return null;
+    }
+    // Reject invalid characters in scheme according to
+    // https://datatracker.ietf.org/doc/html/rfc3986#section-3.1
+    if (!/^[a-zA-Z][a-zA-Z0-9+\-.]*$/.test(protocol[1])) {
+        return null;
+    }
+    // Lowercase the protocol
+    return protocol[1].toLowerCase();
 };
 
 export default {