Security hardening

[145818]

Question

I like the setup of this project and it looks really sleek. Would like to use it. Two questions:

1. Highlight.js 10.1.1 has vulnerabilities. I saw update discussions in #1622 and discussions of swapping it in #1652. Is there any built in way to just disable highlightjs for now?

2. Is there a recommended way to disable book.js / the playgrounds? The point being to prevent code execution.

In my own quick testing it seems one way is to set nothing else but // inside theme/book.js and theme/highlight.js. Does this actually disable them and is this recommended method or is there some value in book.toml I can set to false instead etc? Thank you for your time!

Version

mdbook v0.4.51

[f-hc]

I'm setting up my mdBook and found:

• playground: https://rust-lang.github.io/mdBook/format/mdbook.html#rust-playground

  [output.html.playground]
  runnable = false
  

• highlight.js: I'll try to apply #1652 locally on the latest version but your hack with // is interesting

[145818]

* playground: https://rust-lang.github.io/mdBook/format/mdbook.html#rust-playground
  [output.html.playground]
  runnable = false

Thank you, did not know about this. Great it's built in the playground can be turned off from the book.toml! Completely disabling book.js via the //-hack also works, but then the theme selection also breaks, way better to disable via book.toml.

* highlight.js: I'll try to apply [Using syntect as a higlighting backend rather than highlight.js #1652](https://github.com/rust-lang/mdBook/pull/1652) locally on the latest version but your hack with `//` is interesting

It has had conflicts since April so probably not so straightforward, would be fantastic to get that one in. But yes, the // hack in highlight.js seems to work and does not break functionality in any dramatic way.

[145818]

* playground: https://rust-lang.github.io/mdBook/format/mdbook.html#rust-playground
  [output.html.playground]
  runnable = false

Actually it doesn't work, opened up bug case.