Extension talk:Mimetex alternative

From mediawiki.org
Latest comment: 14 years ago by Stelio in topic Security Question

What is the reason for using tex tags instead of math tags for this? I would like to be able to copy content from a wikipedia page, and not have to modify the tags. I've tried changing the hook in mimetex.php, and that did not work. Does anyone know how to get mimetex to work with math tags?

i second the question. 04:05, 14 March 2009 (UTC)Reply[reply]

Replace the parser tex hook with math ( $wgParser->setHook( "math", "render_Mimetex"); ) then disable $wgUseTeX in LocalSettings.php. You may also need to comment out " case 'math': " in includes/parser/Parser.php (unsure about the last bit, but did it anyway - note that this will be overwritten when you upgrade to a new version)

Security Question[edit]

Is such extention safe? I mean the PHP code just make unescaped substitution

function render_Mimetex($input, $argv, $parser = null) {

 if (!$parser) $parser =& $GLOBALS['wgParser'];
 // $img_url is the url the mimetex will be sent to.
 // IMPORTANT!! The URL below should be the link to YOUR mimetex.cgi if possible
 $img_url = "http://www.forkosh.dreamhost.com/mimetex.cgi?".$input;

 // Sets the output of the tex tag using the url from above, and the input as
 // the Alt text.  It's important to note that there is no error output added yet.
 $output = "<img src=\"$img_url\" alt= \"$input\" />";

 return $output;


So, let suppose that $input is "... .cgi?\">some injection code < "

Then $output is:

<img src= "http://www.forkosh.dreamhost.com/mimetex.cgi?">some injection code

Do the MediaWiki escape the value of the $output? Or the Injection code will be substituted into page directly?

Writing the following in a wiki page:
    <TEX>x"><BR>Insertion code!</TEX>
Gives this result:
Insertion code!" alt= "x">
Insertion code!" />
(where the italic x above is actually a Mimetex rendered image).
The solution is to convert any quote marks (") into their equivalent HTML entity (&quot;). This will work because Mimetex specifically recognises the entity &quot; and displays it as part of its rendered output.
The additional line of code required in the PHP is:
    $input = preg_replace('/"/', '&quot;', $input);
I have tested this on my own wiki and it works, so I have also made this change to the PHP code on the article page.
-Stelio 11:42, 19 May 2009 (UTC)Reply[reply]