Security hardening
Question
I like the setup of this project and it looks really sleek. Would like to use it. Two questions:
-
Highlight.js 10.1.1 has vulnerabilities. I saw update discussions in #1622 and discussions of swapping it in #1652. Is there any built in way to just disable highlightjs for now?
-
Is there a recommended way to disable book.js / the playgrounds? The point being to prevent code execution.
In my own quick testing it seems one way is to set nothing else but // inside theme/book.js and theme/highlight.js. Does this actually disable them and is this recommended method or is there some value in book.toml I can set to false instead etc? Thank you for your time!
Version
mdbook v0.4.51
I'm setting up my mdBook and found:
- playground: https://rust-lang.github.io/mdBook/format/mdbook.html#rust-playground
[output.html.playground] runnable = false - highlight.js: I'll try to apply #1652 locally on the latest version but your hack with
//is interesting
* playground: https://rust-lang.github.io/mdBook/format/mdbook.html#rust-playground [output.html.playground] runnable = false
Thank you, did not know about this. Great it's built in the playground can be turned off from the book.toml! Completely disabling book.js via the //-hack also works, but then the theme selection also breaks, way better to disable via book.toml.
* highlight.js: I'll try to apply [Using syntect as a higlighting backend rather than highlight.js #1652](https://github.com/rust-lang/mdBook/pull/1652) locally on the latest version but your hack with `//` is interesting
It has had conflicts since April so probably not so straightforward, would be fantastic to get that one in. But yes, the // hack in highlight.js seems to work and does not break functionality in any dramatic way.
* playground: https://rust-lang.github.io/mdBook/format/mdbook.html#rust-playground [output.html.playground] runnable = false
Actually it doesn't work, opened up bug case.