[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Warn about shell-expansion in the docstring of org-latex-to-html-con
|
From: |
Ihor Radchenko |
|
Subject: |
Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command |
|
Date: |
Fri, 08 Mar 2024 11:16:23 +0000 |
Max Nikulin <manikulin@gmail.com> writes:
>>> It should be more reliable to pass fragment to command stdin. It can be
>>> done if %i is missed in `org-latex-to-html-convert-command'.
>>
>> I agree that it will be more reliable to shell-escape argument.
>> However, I am concerned that escaping may break certain uses like
>>
>> somecommand << EOF
>> %i
>> EOF
>>
>> In the above scenario, escaping will break things.
>
> It is unsafe to use such command. Variable expansion, etc. is performed
> inside here document blocks. Try
>
> cat << EOF
> \[f(i), \text{where $i \ne 10$}\]
> EOF
I did non know this. Thanks for the info.
> That is why I proposed to use stdin in the case of missed %i.
>
> `org-latex-to-html-convert-command' should be set to something like
> "latexmlc --profile=math --preload=siunitx.sty - 2>/dev/null"
> this case.
I decided not to introduce stdin. User can always use echo %i | ... instead.
>> That's why I prefer to add a new replacement, not change the meaning of
>> %i. We might even remove %i from the docstring, keeping support in the
>> code for backwards-compatibility.
>
> What you calls backward compatibility is actually a means to get strange
> results in the case of complex math. It is better to force users to
> update configuration (I hope, it actually will not be necessary) and to
> ensure safe command without pitfalls related to missed parts of equations.
Agree.
This breaking change cannot be avoided, unfortunately.
Even stripping quotes is unreliable when we use the example from
docstring: 'literal:%i'. So, we have to bite the bullet.
>> test2.html is rendered *incorrectly* as in the attached screenshot.
>
> Looks like missed <meta charset="UTF-8"> inside <head>
> ...
Exporting Org document using
(setq org-html-with-latex 'html)
(setq org-latex-to-html-convert-command "latexmlc 'literal:%i' --profile=math
--preload=siunitx.sty 2>/dev/null")
renders just fine, so these caveats appear to be terminal-specific. Not
our problem.
Attaching tentative patch that fixes the problem.
>From 34e5e14260cf895b32f13ed8f4c2e50684f91baf Mon Sep 17 00:00:00 2001
Message-ID:
<34e5e14260cf895b32f13ed8f4c2e50684f91baf.1709896570.git.yantar92@posteo.net>
From: Ihor Radchenko <yantar92@posteo.net>
Date: Fri, 8 Mar 2024 14:05:12 +0300
Subject: [PATCH] org-latex-to-mathml/html-convert-command: Prevent shell
expansion
* lisp/org.el (org-create-math-formula):
(org-format-latex-as-html): Shell-quote LaTeX fragment text when
replacing %i placeholder. This prevents shell expansion of
$... and similar constructs inside the code.
(org-latex-to-mathml-convert-command):
(org-latex-to-html-convert-command): Update the docstring.
* etc/ORG-NEWS (~org-latex-to-mathml-convert-command~ and
~org-latex-to-html-convert-command~ shell-escape LaTeX code): Announce
the breaking change.
Reported-by: Max Nikulin <manikulin@gmail.com>
Link: https://orgmode.org/list/735645dd-1ddf-4579-a6dd-2700f3e83c94@gmail.com
---
etc/ORG-NEWS | 10 ++++++++++
lisp/org.el | 17 ++++++-----------
2 files changed, 16 insertions(+), 11 deletions(-)
diff --git a/etc/ORG-NEWS b/etc/ORG-NEWS
index abe62daaf..9f628bc10 100644
--- a/etc/ORG-NEWS
+++ b/etc/ORG-NEWS
@@ -13,6 +13,16 @@ Please send Org bug reports to mailto:emacs-orgmode@gnu.org.
* Version 9.7 (not released yet)
** Important announcements and breaking changes
+*** ~org-latex-to-mathml-convert-command~ and
~org-latex-to-html-convert-command~ shell-escape LaTeX code
+
+Previously, ~org-latex-to-mathml-convert-command~ and
+~org-latex-to-html-convert-command~ replaced %i placeholders with raw
+LaTeX fragment text, potentially triggered shell-expansion.
+
+Now, the %i placeholders are shell-escaped to prevent shell expansion - this
will prevent.
+
+The existing customizations that assume no shell-escaping must be updated.
+
*** When ~org-link-file-path-type~ is a function, its argument is now a
filename as it is read by ~org-insert-link~; not an absolute path
Previously, when ~org-link-file-path-type~ is set to a function, the
diff --git a/lisp/org.el b/lisp/org.el
index 33d90506b..a00d50c51 100644
--- a/lisp/org.el
+++ b/lisp/org.el
@@ -3246,7 +3246,7 @@ (defcustom org-latex-to-mathml-convert-command nil
%j: Executable file in fully expanded form as specified by
`org-latex-to-mathml-jar-file'.
%I: Input LaTeX file in fully expanded form.
-%i: The latex fragment to be converted.
+%i: Shell-escaped LaTeX fragment to be converted.
%o: Output MathML file.
This command is used by `org-create-math-formula'.
@@ -3255,7 +3255,7 @@ (defcustom org-latex-to-mathml-convert-command nil
\"java -jar %j -unicode -force -df %o %I\".
When using LaTeXML set this option to
-\"latexmlmath \"%i\" --presentationmathml=%o\"."
+\"latexmlmath %i --presentationmathml=%o\"."
:group 'org-latex
:version "24.1"
:type '(choice
@@ -3268,15 +3268,10 @@ (defcustom org-latex-to-html-convert-command nil
directly replace the LaTeX fragment in the resulting HTML.
Replace format-specifiers in the command as noted below and use
`shell-command' to convert LaTeX to HTML.
-%i: The LaTeX fragment to be converted.
+%i: The LaTeX fragment to be converted (shell-escaped).
For example, this could be used with LaTeXML as
-\"latexmlc \\='literal:%i\\=' --profile=math --preload=siunitx.sty
2>/dev/null\".
-
-The LaTeX fragment is replaced as is, without escaping special shell
-syntax. It may be necessary to use single-quotes around \\='%i\\=', not
-double-quotes. Else a math fragment such as \"$y = 200$\" may be
-expanded to \" = 200\"."
+\"latexmlc literal:%i --profile=math --preload=siunitx.sty 2>/dev/null\"."
:group 'org-latex
:package-version '(Org . "9.4")
:type '(choice
@@ -16210,7 +16205,7 @@ (defun org-create-math-formula (latex-frag &optional
mathml-file)
(expand-file-name
org-latex-to-mathml-jar-file))))
(?I . ,(shell-quote-argument tmp-in-file))
- (?i . ,latex-frag)
+ (?i . ,(shell-quote-argument latex-frag))
(?o . ,(shell-quote-argument tmp-out-file)))))
mathml shell-command-output)
(when (called-interactively-p 'any)
@@ -16277,7 +16272,7 @@ (defun org-format-latex-as-html (latex-fragment)
"Convert LATEX-FRAGMENT to HTML.
This uses `org-latex-to-html-convert-command', which see."
(let ((cmd (format-spec org-latex-to-html-convert-command
- `((?i . ,latex-fragment)))))
+ `((?i . ,(shell-quote-argument latex-fragment))))))
(message "Running %s" cmd)
(shell-command-to-string cmd)))
--
2.43.0
--
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>
- Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command, Max Nikulin, 2024/03/05
- Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command,
Ihor Radchenko <=
- Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command, Max Nikulin, 2024/03/09
- Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command, Ihor Radchenko, 2024/03/12
- Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command, Max Nikulin, 2024/03/13
- Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command, Ihor Radchenko, 2024/03/15
- Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command, Max Nikulin, 2024/03/18
- Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command, Ihor Radchenko, 2024/03/19
- Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command, Ihor Radchenko, 2024/03/19
- Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command, Max Nikulin, 2024/03/19