katex: allow \htmlId #11906

New Issue

GiteaMirror · 2025-11-02T09:51:30-06:00

GiteaMirror commented

2025-11-02 09:51:30 -06:00

Originally created by @nschloe on GitHub (Oct 24, 2023).

Feature Description

In Gitea, it's possible to manually set the HTML id in elements, e.g.,

<h1 id="myHeader">My Header</h1>

My Header

Math equations can contain an ID as well, making it possible to link to them, see https://katex.org/docs/supported.html#html:

\[
\htmlId{my-equation}{x + y = z}
\]

For this to work, the \htmlId attribute must be explicitly enabled in KaTeX's config.

Screenshots

No response

Originally created by @nschloe on GitHub (Oct 24, 2023). ### Feature Description In Gitea, it's possible to manually set the HTML id in elements, e.g., ```html <h1 id="myHeader">My Header</h1> ``` > <h1 id="myHeader">My Header</h1> Math equations can contain an ID as well, making it possible to link to them, see https://katex.org/docs/supported.html#html: ``` \[ \htmlId{my-equation}{x + y = z} \] ``` For this to work, the `\htmlId` attribute must be explicitly enabled in KaTeX's config. ### Screenshots _No response_

GiteaMirror added the type/proposal issue/needs-feedback type/upstream labels 2025-11-02 09:51:30 -06:00

GiteaMirror closed this issue

2025-11-02 09:51:30 -06:00

GiteaMirror commented

2025-11-02 09:51:31 -06:00

@wxiaoguang commented on GitHub (Dec 6, 2024):

Math equations can contain an ID as well, making it possible to link to them, see https://katex.org/docs/supported.html#html:

https://katex.org/docs/supported.html#html

The following "raw HTML" features are potentially dangerous for untrusted inputs, so they are disabled by default, and attempting to use them produces the command names in red (which you can configure via the errorColor option). To fully trust your LaTeX input, you need to pass an option of trust: true; you can also enable just some of the commands or for just some URLs via the trust option.

So it can't be enabled for the instances with many users.

If you really need this feature, I think you could build your own Gitea instance to enable it.

@wxiaoguang commented on GitHub (Dec 6, 2024): > Math equations can contain an ID as well, making it possible to link to them, see https://katex.org/docs/supported.html#html: https://katex.org/docs/supported.html#html > The following "raw HTML" features are potentially dangerous for untrusted inputs, so they are disabled by default, and attempting to use them produces the command names in red (which you can configure via the errorColor [option](https://katex.org/docs/options)). To fully trust your LaTeX input, you need to pass an option of trust: true; you can also enable just some of the commands or for just some URLs via the trust [option](https://katex.org/docs/options). So it can't be enabled for the instances with many users. If you really need this feature, I think you could build your own Gitea instance to enable it.

GiteaMirror commented

2025-11-02 09:51:31 -06:00

@delvh commented on GitHub (Dec 6, 2024):

Yeah, I see the problem:
If a user-provided ID collides with an existing ID, then the user-provided ID might be picked instead of ours.
This is especially bad as there are some form.x = querySelector('#<id>').x inside the code.
However, I do see an option for how we can circumvent these problems:
If we reserve for example the katex- prefix for use by the math mode (IDs, classes, data attributes), then there is no harm to be done by defining your own IDs.
I'm not sure, how is \htmlStyle dangerous?
If I see that correctly, it only sets the style of your own element. How can you misuse that? The only thing I can think of is to request a background image from an untrusted website. But even then, what would be the worst-case scenario in this case?
The malicious server receives your IP?

Apart from the style issue, it may be possible to ask KaTeX for a prefix for these things to elevate them from untrusted to trusted status.

@delvh commented on GitHub (Dec 6, 2024): Yeah, I see the problem: If a user-provided ID collides with an existing ID, then the user-provided ID might be picked instead of ours. This is especially bad as there are some `form.x = querySelector('#<id>').x` inside the code. However, I do see an option for how we can circumvent these problems: If we reserve for example the `katex-` prefix for use by the math mode (IDs, classes, data attributes), then there is no harm to be done by defining your own IDs. I'm not sure, how is `\htmlStyle` dangerous? If I see that correctly, it only sets the style of your own element. How can you misuse that? The only thing I can think of is to request a background image from an untrusted website. But even then, what would be the worst-case scenario in this case? The malicious server receives your IP? Apart from the style issue, it may be possible to ask KaTeX for a prefix for these things to elevate them from untrusted to trusted status.

GiteaMirror commented

2025-11-02 09:51:31 -06:00

@nschloe commented on GitHub (Dec 10, 2024):

I've started a discussion on KaTeX, https://github.com/KaTeX/KaTeX/discussions/4001.

@nschloe commented on GitHub (Dec 10, 2024): I've started a discussion on KaTeX, https://github.com/KaTeX/KaTeX/discussions/4001.

GiteaMirror commented

2025-11-02 09:51:32 -06:00

@GiteaBot commented on GitHub (Jan 9, 2025):

We close issues that need feedback from the author if there were no new comments for a month. 🍵

@GiteaBot commented on GitHub (Jan 9, 2025): We close issues that need feedback from the author if there were no new comments for a month. :tea:

GiteaMirror referenced this issue

2025-11-02 10:27:35 -06:00