From 5dbe4457d0d938e8830888bc3ac58d6a43136558 Mon Sep 17 00:00:00 2001 Message-ID: <5dbe4457d0d938e8830888bc3ac58d6a43136558.1711873441.git.yantar92@posteo.net> From: Ihor Radchenko Date: Fri, 8 Mar 2024 14:05:12 +0300 Subject: [PATCH] org-latex-to-mathml/html-convert-command: Prevent shell expansion * lisp/org.el (org-create-math-formula): (org-format-latex-as-html): Shell-quote LaTeX fragment text when replacing %i placeholder. This prevents shell expansion of $... and similar constructs inside the code. (org-latex-to-mathml-convert-command): (org-latex-to-html-convert-command): Update the docstring. * etc/ORG-NEWS (~org-latex-to-mathml-convert-command~ and ~org-latex-to-html-convert-command~ shell-escape LaTeX code): Announce the breaking change. * doc/org-manual.org (LaTeX math snippets): Update example. Reported-by: Max Nikulin Link: https://orgmode.org/list/735645dd-1ddf-4579-a6dd-2700f3e83c94@gmail.com --- doc/org-manual.org | 2 +- etc/ORG-NEWS | 10 ++++++++++ lisp/org.el | 21 ++++++++++----------- 3 files changed, 21 insertions(+), 12 deletions(-) diff --git a/doc/org-manual.org b/doc/org-manual.org index c4f62644f..acc4512a5 100644 --- a/doc/org-manual.org +++ b/doc/org-manual.org @@ -15176,7 +15176,7 @@ **** LaTeX math snippets #+begin_src emacs-lisp (setq org-latex-to-mathml-convert-command - "latexmlmath \"%i\" --presentationmathml=%o") + "latexmlmath %i --presentationmathml=%o") #+end_src To quickly verify the reliability of the LaTeX-to-MathML diff --git a/etc/ORG-NEWS b/etc/ORG-NEWS index ee2cdfd16..739c3a43b 100644 --- a/etc/ORG-NEWS +++ b/etc/ORG-NEWS @@ -13,6 +13,16 @@ Please send Org bug reports to mailto:emacs-orgmode@gnu.org. * Version 9.7 (not released yet) ** Important announcements and breaking changes +*** ~org-latex-to-mathml-convert-command~ and ~org-latex-to-html-convert-command~ shell-escape LaTeX code + +Previously, ~org-latex-to-mathml-convert-command~ and +~org-latex-to-html-convert-command~ replaced %i placeholders with raw +LaTeX fragment text, potentially triggering shell-expansion. + +Now, the %i placeholders are shell-escaped to prevent shell expansion. + +The existing customizations that assume no shell-escaping must be updated. + *** Built-in HTML, LaTeX, Man, Markdown, ODT, and Texinfo exporters preserve the link protocol during export Previously, some link types where not exported as =protocol:uri= but diff --git a/lisp/org.el b/lisp/org.el index f3fae134d..f56767a1a 100644 --- a/lisp/org.el +++ b/lisp/org.el @@ -3266,7 +3266,9 @@ (defcustom org-latex-to-mathml-convert-command nil %j: Executable file in fully expanded form as specified by `org-latex-to-mathml-jar-file'. %I: Input LaTeX file in fully expanded form. -%i: The latex fragment to be converted. +%i: Shell-escaped LaTeX fragment to be converted. + It must not be used inside a quoted argument, the result of %i + expansion inside a quoted argument is undefined. %o: Output MathML file. This command is used by `org-create-math-formula'. @@ -3275,7 +3277,7 @@ (defcustom org-latex-to-mathml-convert-command nil \"java -jar %j -unicode -force -df %o %I\". When using LaTeXML set this option to -\"latexmlmath \"%i\" --presentationmathml=%o\"." +\"latexmlmath %i --presentationmathml=%o\"." :group 'org-latex :version "24.1" :type '(choice @@ -3288,15 +3290,12 @@ (defcustom org-latex-to-html-convert-command nil directly replace the LaTeX fragment in the resulting HTML. Replace format-specifiers in the command as noted below and use `shell-command' to convert LaTeX to HTML. -%i: The LaTeX fragment to be converted. +%i: The LaTeX fragment to be converted (shell-escaped). + It must not be used inside a quoted argument, the result of %i + expansion inside a quoted argument is undefined. For example, this could be used with LaTeXML as -\"latexmlc \\='literal:%i\\=' --profile=math --preload=siunitx.sty 2>/dev/null\". - -The LaTeX fragment is replaced as is, without escaping special shell -syntax. It may be necessary to use single-quotes around \\='%i\\=', not -double-quotes. Else a math fragment such as \"$y = 200$\" may be -expanded to \" = 200\"." +\"latexmlc literal:%i --profile=math --preload=siunitx.sty 2>/dev/null\"." :group 'org-latex :package-version '(Org . "9.4") :type '(choice @@ -16332,7 +16331,7 @@ (defun org-create-math-formula (latex-frag &optional mathml-file) (expand-file-name org-latex-to-mathml-jar-file)))) (?I . ,(shell-quote-argument tmp-in-file)) - (?i . ,latex-frag) + (?i . ,(shell-quote-argument latex-frag)) (?o . ,(shell-quote-argument tmp-out-file))))) mathml shell-command-output) (when (called-interactively-p 'any) @@ -16400,7 +16399,7 @@ (defun org-format-latex-as-html (latex-fragment) "Convert LATEX-FRAGMENT to HTML. This uses `org-latex-to-html-convert-command', which see." (let ((cmd (format-spec org-latex-to-html-convert-command - `((?i . ,latex-fragment))))) + `((?i . ,(shell-quote-argument latex-fragment)))))) (message "Running %s" cmd) (shell-command-to-string cmd))) -- 2.44.0