by blindly executing TeX when someone edits a page, we are assuming that they haven't included any malicious code in their TeX source.
TeX has two dangerous commands: shell escapes and writing to an arbitrary file. Both can be globally disabled (and are disabled by default in most TeX distributions). It is fairly easy however to write TeX which eats memory like crazy (TeX allows recursion :-), so we would have to somehow restrict the resources available to the TeX process. But we are of course right now already wide open to all sorts of denial-of-service attacks.
Axel
On Fri, Jun 21, 2002 at 07:07:38AM +0200, Axel Boldt wrote:
by blindly executing TeX when someone edits a page, we are assuming that they haven't included any malicious code in their TeX source.
TeX has two dangerous commands: shell escapes and writing to an arbitrary file. Both can be globally disabled (and are disabled by default in most TeX distributions). It is fairly easy however to write TeX which eats memory like crazy (TeX allows recursion :-), so we would have to somehow restrict the resources available to the TeX process. But we are of course right now already wide open to all sorts of denial-of-service attacks.
We don't need real TeX - we only need something that can parse limited TeX math mode and renders that.
On Fri, Jun 21, 2002 at 07:07:38AM +0200, Axel Boldt wrote:
by blindly executing TeX when someone edits a page, we are assuming that they haven't included any malicious code in their TeX source.
TeX has two dangerous commands: shell escapes and writing to an arbitrary file. Both can be globally disabled (and are disabled by default in most TeX distributions). It is fairly easy however to write TeX which eats memory like crazy (TeX allows recursion :-), so we would have to somehow restrict the resources available to the TeX process. But we are of course right now already wide open to all sorts of denial-of-service attacks.
FWIW I'd like to remark that I would also like to have a LaTeX in Wikipedia. If only to avoid that we would lose Alex to mathplanet.org. :-) But seriously, it would make writing math in Wikipedia a lot more fun, and the people at planetmath.org are probably more than willing to help us. In fact I think that it is important for both Wiki's that the transfer of material between Wikipedia and Planetmath should be as painless as possible.
-- Jan Hidders
Axel Boldt wrote:
by blindly executing TeX when someone edits a page, we are assuming that they haven't included any malicious code in their TeX source.
TeX has two dangerous commands: shell escapes and writing to an arbitrary file. Both can be globally disabled (and are disabled by default in most TeX distributions). It is fairly easy however to write TeX which eats memory like crazy (TeX allows recursion :-), so we would have to somehow restrict the resources available to the TeX process. But we are of course right now already wide open to all sorts of denial-of-service attacks.
Axel
Hey guys,
would using MathML (an XML language for description of mathematic formulas) be an option?
I am not part of the math community, but I could imagine that a good part of the people who are either already use tools that produce MathML or they know the syntax from the top of their hads.
There are probably also tools around that allow for automated rendering of images from a MathML formulae.
Mozilla even provides an editor for MathML. See http://www.newmexico.mackichan.com/MathML/mathmled.htm
Marian
On Sat, Jul 06, 2002 at 01:45:07AM +0200, Marian Steinbach wrote:
would using MathML (an XML language for description of mathematic formulas) be an option?
That has been suggested before and there has been quite some debate over that. As far as I remember most people were in the end in favour of TeX/LaTeX because: - it displays on a wider range of browsers - its easier to read - more people know it
-- Jan Hidders
Jan.Hidders wrote:
On Sat, Jul 06, 2002 at 01:45:07AM +0200, Marian Steinbach wrote:
would using MathML (an XML language for description of mathematic formulas) be an option?
That has been suggested before and there has been quite some debate over that. As far as I remember most people were in the end in favour of TeX/LaTeX because:
- it displays on a wider range of browsers
- its easier to read
- more people know it
-- Jan Hidders _______________________________________________ Wikitech-l mailing list Wikitech-l@ross.bomis.com http://ross.bomis.com/mailman/listinfo/wikitech-l
I've just had a look at the TeX to HTML convertor: the results are horrible on my browser: mathML or rendered images from source is the way to go, I think.
I suggest something like this:
0 Use TeX in the Wiki source (perhaps in <tex> </tex> delimiters?) 1 Convert TeX to MathML. 2 Serve MathML to modern browsers 3 Serve rendered images of MathML (eg, using the Gecko engine) to users with old browsers.
Why not render TeX directly? Because the MathML "bottleneck" will ensure that everyone sees the same thing, and it also provides a way to move eventually to supporting native MathML in the source, when MathML is a mature, editable, format in most browsers. Even better would be if we could do a 2-way TeX <-> MathML conversion, but that's probably asking too much.
Neil
On Sat, Jul 06, 2002 at 01:44:12AM +0100, Neil Harris wrote:
Why not render TeX directly? Because the MathML "bottleneck" will ensure that everyone sees the same thing, and it also provides a way to move eventually to supporting native MathML in the source, when MathML is a mature, editable, format in most browsers.
Unless you plan to move to a MathML-only solution on the short term, say two years or so, I don't see the point of such a dual system. It would make things more complex than necessary. If you only render TeX then everything also looks the same to everybody and you have the benefit of a notation that is easier to read and write. The only drawback I see is that you need to install TeX and that gif's don't scale when people use different font sizes but if you look on www.planetmath.org you can see that it works even then quite well.
Really, your enthousiasm is greatly appreciated but accesability is quite important for Wikipedia, so even if Mozilla & IE would fully support MathML then I doubt that it would switch to a MathML-only set up.
-- Jan Hidders
wikitech-l@lists.wikimedia.org