id: security
Any HTML generated by KaTeX should be safe from <script>
or other code
injection attacks.
Of course, it is always a good idea to sanitize the HTML, though you will need a rather generous whitelist (including some of SVG and MathML) to support all of KaTeX.
Use maxSize
option for preventing large width/height visual affronts,
use maxExpand
for preventing infinite macro loop attacks, and
use allowedProtocols
for preventing certain protocols in \href
. Please
refer to Options for more details.
The error message thrown by KaTeX may contain unescaped LaTeX source code. See Handling Errors for more details.
If you discovered a security issue, please let us know via https://hackerone.com/khanacademy