From 34e5e14260cf895b32f13ed8f4c2e50684f91baf Mon Sep 17 00:00:00 2001 Message-ID: <34e5e14260cf895b32f13ed8f4c2e50684f91baf.1709896570.git.yantar92@posteo.net> From: Ihor Radchenko Date: Fri, 8 Mar 2024 14:05:12 +0300 Subject: [PATCH] org-latex-to-mathml/html-convert-command: Prevent shell expansion * lisp/org.el (org-create-math-formula): (org-format-latex-as-html): Shell-quote LaTeX fragment text when replacing %i placeholder. This prevents shell expansion of $... and similar constructs inside the code. (org-latex-to-mathml-convert-command): (org-latex-to-html-convert-command): Update the docstring. * etc/ORG-NEWS (~org-latex-to-mathml-convert-command~ and ~org-latex-to-html-convert-command~ shell-escape LaTeX code): Announce the breaking change. Reported-by: Max Nikulin Link: https://orgmode.org/list/735645dd-1ddf-4579-a6dd-2700f3e83c94@gmail.com --- etc/ORG-NEWS | 10 ++++++++++ lisp/org.el | 17 ++++++----------- 2 files changed, 16 insertions(+), 11 deletions(-) diff --git a/etc/ORG-NEWS b/etc/ORG-NEWS index abe62daaf..9f628bc10 100644 --- a/etc/ORG-NEWS +++ b/etc/ORG-NEWS @@ -13,6 +13,16 @@ Please send Org bug reports to mailto:emacs-orgmode@gnu.org. * Version 9.7 (not released yet) ** Important announcements and breaking changes +*** ~org-latex-to-mathml-convert-command~ and ~org-latex-to-html-convert-command~ shell-escape LaTeX code + +Previously, ~org-latex-to-mathml-convert-command~ and +~org-latex-to-html-convert-command~ replaced %i placeholders with raw +LaTeX fragment text, potentially triggered shell-expansion. + +Now, the %i placeholders are shell-escaped to prevent shell expansion - this will prevent. + +The existing customizations that assume no shell-escaping must be updated. + *** When ~org-link-file-path-type~ is a function, its argument is now a filename as it is read by ~org-insert-link~; not an absolute path Previously, when ~org-link-file-path-type~ is set to a function, the diff --git a/lisp/org.el b/lisp/org.el index 33d90506b..a00d50c51 100644 --- a/lisp/org.el +++ b/lisp/org.el @@ -3246,7 +3246,7 @@ (defcustom org-latex-to-mathml-convert-command nil %j: Executable file in fully expanded form as specified by `org-latex-to-mathml-jar-file'. %I: Input LaTeX file in fully expanded form. -%i: The latex fragment to be converted. +%i: Shell-escaped LaTeX fragment to be converted. %o: Output MathML file. This command is used by `org-create-math-formula'. @@ -3255,7 +3255,7 @@ (defcustom org-latex-to-mathml-convert-command nil \"java -jar %j -unicode -force -df %o %I\". When using LaTeXML set this option to -\"latexmlmath \"%i\" --presentationmathml=%o\"." +\"latexmlmath %i --presentationmathml=%o\"." :group 'org-latex :version "24.1" :type '(choice @@ -3268,15 +3268,10 @@ (defcustom org-latex-to-html-convert-command nil directly replace the LaTeX fragment in the resulting HTML. Replace format-specifiers in the command as noted below and use `shell-command' to convert LaTeX to HTML. -%i: The LaTeX fragment to be converted. +%i: The LaTeX fragment to be converted (shell-escaped). For example, this could be used with LaTeXML as -\"latexmlc \\='literal:%i\\=' --profile=math --preload=siunitx.sty 2>/dev/null\". - -The LaTeX fragment is replaced as is, without escaping special shell -syntax. It may be necessary to use single-quotes around \\='%i\\=', not -double-quotes. Else a math fragment such as \"$y = 200$\" may be -expanded to \" = 200\"." +\"latexmlc literal:%i --profile=math --preload=siunitx.sty 2>/dev/null\"." :group 'org-latex :package-version '(Org . "9.4") :type '(choice @@ -16210,7 +16205,7 @@ (defun org-create-math-formula (latex-frag &optional mathml-file) (expand-file-name org-latex-to-mathml-jar-file)))) (?I . ,(shell-quote-argument tmp-in-file)) - (?i . ,latex-frag) + (?i . ,(shell-quote-argument latex-frag)) (?o . ,(shell-quote-argument tmp-out-file))))) mathml shell-command-output) (when (called-interactively-p 'any) @@ -16277,7 +16272,7 @@ (defun org-format-latex-as-html (latex-fragment) "Convert LATEX-FRAGMENT to HTML. This uses `org-latex-to-html-convert-command', which see." (let ((cmd (format-spec org-latex-to-html-convert-command - `((?i . ,latex-fragment))))) + `((?i . ,(shell-quote-argument latex-fragment)))))) (message "Running %s" cmd) (shell-command-to-string cmd))) -- 2.43.0