html-integrations icon indicating copy to clipboard operation
html-integrations copied to clipboard
verified publisher icon wiris

fix: htmlSanitize stripping away valid MML tags

Open icc opened this issue 2 years ago • 2 comments

Description

The DOMPurify dependency has been upgraded to the latest version. The previous version is old and lack support for certain tags etc. E.g. support for the mprescripts tag was added in 3.0.2

The newer version should be compatible with how DOMPurify is used today.

Steps to reproduce

Edit this MathML in e.g. CKEditor5:

<math xmlns="http://www.w3.org/1998/Math/MathML">
  <mmultiscripts>
    <msubsup>
      <mi>c</mi>
      <mi>h</mi>
      <mi>h</mi>
    </msubsup>
    <mprescripts/>
    <mi>h</mi>
    <mi>h</mi>
  </mmultiscripts>
</math>

and observe mprescripts tag is removed resulting in a different expression.

icc avatar Feb 15 '24 11:02 icc

As a workaround until this is merged the parent project may override the dependency in package.json like this:

  "overrides": {
    "@wiris/mathtype-html-integration-devkit": {
      "dompurify": "^3.0.6"
    }
  }

icc avatar Feb 15 '24 11:02 icc

Hi @icc, thank you for noticing the issue and proposing this solution!

We will send your proposal to the next step and once it's ready to release, we'll let you know! Any further issues, please feel free to contact us.

carla-at-wiris avatar Feb 16 '24 15:02 carla-at-wiris

This solution has been included in our latest release. Check the following Pull Requests to see the changes related to it: #941 and #926.

Thank you for noticing the issue and taking the time to write the solution!

carla-at-wiris avatar May 27 '24 14:05 carla-at-wiris