Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command

[Max Nikulin]

On 26/02/2024 17:48, Ihor Radchenko wrote:
> Max Nikulin writes:
> > Something weird may be executed in the case of sufficiently complex
> > equations.
>
> > It should be more reliable to pass fragment to command stdin. It can be
> > done if %i is missed in `org-latex-to-html-convert-command'.
>
> I agree that it will be more reliable to shell-escape argument.
> However, I am concerned that escaping may break certain uses like
>
> somecommand << EOF
> %i
> EOF
>
> In the above scenario, escaping will break things.

It is unsafe to use such command. Variable expansion, etc. is performed 
inside here document blocks. Try

cat << EOF
\[f(i), \text{where $i \ne 10$}\]
EOF

That is why I proposed to use stdin in the case of missed %i.

`org-latex-to-html-convert-command' should be set to something like
"latexmlc --profile=math --preload=siunitx.sty - 2>/dev/null"
this case.

> That's why I prefer to add a new replacement, not change the meaning of
> %i. We might even remove %i from the docstring, keeping support in the
> code for backwards-compatibility.

What you calls backward compatibility is actually a means to get strange 
results in the case of complex math. It is better to force users to 
update configuration (I hope, it actually will not be necessary) and to 
ensure safe command without pitfalls related to missed parts of equations.

> (with-temp-file "/tmp/test2.html"
> (let ((org-latex-to-html-convert-command
>               "latexmlc literal:%I --profile=math --preload=siunitx.sty 
> 2>/dev/null"))
>          (insert (org-format-latex-as-html "$f' = df/dx$"))))
>
> test2.html is rendered *incorrectly* as in the attached screenshot.

Looks like missed <meta charset="UTF-8"> inside <head>

> In contrast, manually providing output file as
>
> latexmlc literal:\$f\'\ =\ df/dx\$ --profile=math --preload=siunitx.sty 
> --output /tmp/test3.html
>
> yields correct rendering.

Perhaps this time the browser just guessed file encoding. Anyway 
rendering is incorrect. Gecko puts derivative into the correct place. I 
have no idea if it is a fault of latexml generating incorrect MathML or 
a browser which is likely a KHTML descendant.

It seems, latexml is terribly broken in Debian. With 
--preload=siunitx.sty it hangs during processing of expl3-code.tex, 
without this option it removes all files in /tmp.

I am still strongly against code that may cause execution of equations 
as shell commands and may silently lose parts of equations.