Merge commit from fork

nsysean · edemaine · web-flow · commit ff289955e81a · 2025-01-17T15:24:52.000-05:00
* fix: escape \htmlData attribute name

* simplify escape lookup, add escape characters

* Add escape list source

* Fix escape list source

* fix: handling invalid HTML attribute names

* fix: change comments position

* fix: change HTML attribute name validator

* Factor out regex

* Improve tests to apply to check individual characters

* Rename regex

---------

Co-authored-by: Erik Demaine &lt;edemaine@mit.edu&gt;
diff --git a/.eslintrc b/.eslintrc
@@ -39,6 +39,7 @@
         "no-array-constructor": 2,
         "no-console": 2,
         "no-const-assign": 2,
+        "no-control-regex": 0,
         "no-debugger": 2,
         "no-dupe-class-members": 2,
         "no-dupe-keys": 2,
diff --git a/src/domTree.js b/src/domTree.js
@@ -17,6 +17,7 @@ import {path} from "./svgGeometry";
 import type Options from "./Options";
 import {DocumentFragment} from "./tree";
 import {makeEm} from "./units";
+import ParseError from "./ParseError";
 
 import type {VirtualNode} from "./tree";
 
@@ -83,6 +84,16 @@ const toNode = function(tagName: string): HTMLElement {
     return node;
 };
 
+/**
+ * https://w3c.github.io/html-reference/syntax.html#syntax-attributes
+ *
+ * > Attribute Names must consist of one or more characters
+ * other than the space characters, U+0000 NULL,
+ * '"', "'", ">", "/", "=", the control characters,
+ * and any characters that are not defined by Unicode.
+ */
+const invalidAttributeNameRegex = /[\s"'>/=\x00-\x1f]/;
+
 /**
  * Convert into an HTML markup string
  */
@@ -110,6 +121,9 @@ const toMarkup = function(tagName: string): string {
     // Add the attributes
     for (const attr in this.attributes) {
         if (this.attributes.hasOwnProperty(attr)) {
+            if (invalidAttributeNameRegex.test(attr)) {
+                throw new ParseError(`Invalid attribute name '${attr}'`);
+            }
             markup += ` ${attr}="${utils.escape(this.attributes[attr])}"`;
         }
     }
diff --git a/test/katex-spec.js b/test/katex-spec.js
@@ -2158,6 +2158,24 @@ describe("An HTML extension builder", function() {
         const built = getBuilt(html, trustNonStrictSettings);
         expect(built).toMatchSnapshot();
     });
+
+    it("should throw Error when HTML attribute name is invalid", function() {
+        for (const char of [">", " ", "\t", "\n", "\r", "\"", "'", "/"]) {
+            try {
+                katex.renderToString(
+                    `\\htmlData{a${char}b=foo}{bar}`, trustNonStrictSettings);
+
+                // Render is expected to throw, so this should not be called.
+                expect(true).toBe(false);
+            } catch (error) {
+                expect(error).toBeInstanceOf(ParseError);
+                const message =
+                    `Invalid attribute name 'data-a${char.replace(/\s/, ' ')}b'`;
+                expect(error.message).toBe(`KaTeX parse error: ${message}`);
+                expect(error.rawMessage).toBe(message);
+            }
+        }
+    });
 });
 
 describe("A bin builder", function() {
