Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Black/white list please? #26

Open
pauljherring opened this issue Aug 10, 2015 · 8 comments
Open

Black/white list please? #26

pauljherring opened this issue Aug 10, 2015 · 8 comments

Comments

@pauljherring
Copy link

I think we need either a whitelist, or blacklist, of things that can be used.

We've had to disable Mathjax on our instance due to stuff like the following:

$$\class{modal modal-backdrop btn}{\style{position:fixed;left:0;}{\bbox[700px]{\text{this may be annoying}}}}$$

A working version of that post is on my test instance at: http://pjh.homeip.net/t/annoying-background/83
@dpvc
Copy link

dpvc commented Aug 15, 2015

You may want to consider adding the "Safe" extension to your configuration, which can be used to limit the styles that can be applied and the class names that can be used, and so on (see the documentation for details). Or you could make a configuration that removes \class, \style, \cssId and \href commands entirely.

@pauljherring
Copy link
Author

How/where does one go about adding that sorta thing in Discourse? There isn't a lot in the way of configuration options:

http://i.imgur.com/0iFI5Yw.png

@dpvc
Copy link

dpvc commented Aug 17, 2015

Others will have to tell you that -- I don't use it myself. But certainly this file would be one place it could be done.

@pauljherring
Copy link
Author

But certainly this file would be one place it could be done.

I see.

Unfortunately due to how plugins work in Discourse (of this this is one) work, messing around with the source code on an installation is not a feasible way of configuring them.

It's looking like we'll simply have to do without this one.

@kasperpeulen
Copy link
Owner

@pauljherring

In theory we could maybe also allow the user to configure mathjax a bit more.
Not really sure if that would be a good idea though.

You could also fork this repo, change the configuration, and then install the plugin with:

bundle exec rake plugin:install repo=https://github.com/pauljherring/discourse-mathjax

@dpvc
Copy link

dpvc commented Aug 17, 2015

Well, for the Safe extension, you can get that in another way: by adding ",Safe" after the configuration file name, e.g., "TeX-AMS-MML_HTMLorMML,Safe", though you will have to take the default settings for it if you do that.

On the other hand, if you can add HTML to your theme or header or some other part of the page, then you might be able to configure MathJax by adding

<script type="text/x-mathjax-config">
MathJax.Hub.Config({
  Safe: {
     ... your configuration here ...
  }
});
</script>

to the page (whether MathJax is able to pick this up or not will depend on how Discourse loads MathJax.

It's too bad the plugin doesn't allow more direct control of the configuration.

@kasperpeulen
Copy link
Owner

It's too bad the plugin doesn't allow more direct control of the configuration.

@dpvc Any ideas how to make the plugin more configurable ? It's been a long time since I've done ruby/javascript programming. I guess the best way would be to let the user to configure a JSON string, then convert this to an object and pass that to MathJax.Hub.Config ?

@dpvc
Copy link

dpvc commented Aug 17, 2015

@kasperpeulen, yes, that would work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dpvc @kasperpeulen @pauljherring