Any HTML generated by KaTeX should be safe from
<script> or other code
Of course, it is always a good idea to sanitize the HTML, though you will need a rather generous whitelist (including some of SVG and MathML) to support all of KaTeX.
A variety of options give finer control over the security of KaTeX with untrusted inputs; refer to Options for more details.
maxSizecan prevent large width/height visual affronts.
maxExpandcan prevent infinite macro loop attacks.
trustcan allow certain commands that may load external resources or change HTML attributes and thus are not always safe (e.g.,
The error message thrown by KaTeX may contain unescaped LaTeX source code. See Handling Errors for more details.
Reporting a Vulnerability
If you have discovered a potential security issue with KaTeX:
- Please report the issue privately by emailing email@example.com.
- We will create a GitHub Security Advisory and (if desired) invite you as a collaborator for further discussion about the vulnerability and how to fix them. Please let us know your GitHub.com username so that we can add you.
- We will evaluate the vulnerability and, if necessary, release a fix and security advisory. We will credit you in the report.
- Please do not disclose the vulnerability publicly until after a fix has been released.