Katex.ts security options seems ignored #2397
Description
On v.0.50-b7 on Firefox or Chrome, I am unable to prevent Katex `\href rendering on unwanted protocols.
I've setup a katex.ts as in #644 and specified as per Katex:Option guide
trust: (context) => context.protocol !== 'https' trust and `strict options to prevent some protocol rendering (for testing file, http, https, stp)
Acknowleding Slidev's Katex setup function I did a setup/katex.ts file that looks like this :
import { defineKatexSetup } from '@slidev/types'
import {TrustContext} from 'katex'
export default defineKatexSetup(() => {
return {
/* ... */
macros:{
"\\dst": "\\displaystyle"
},
strict: true,
trust: (context:TrustContext) => context.protocol !== 'https',
}
})My test markdown look like this :
# Testing Katex setup
Here is some quantum formula with a ref :
$$
\begin{aligned}
Knowing ~probabilty~ |\alpha|^2 + |\beta|^2 &= 1 & & (\alpha,\beta) \in \mathbb C^2
\\ |\psi\rangle &= \kern3em \alpha |0\rangle \kern2.5em + \kern2.5em \beta |1\rangle & & \href{https://fr.wikipedia.org/wiki/Postulats_de_la_m%C3%A9canique_quantique#Postulat_VI}{Post.6: linearity}
\end{aligned}
$$
In any of the \href protocols I tested/used (file, http, https, stp, etc..) and defined accordingly as not allowed (trust) all were handled and rendered. If the trust options is not honored, I also realized that strict (which I override to true conversly to default) seems to not overriden / honored also...
I expected that they aren't handled (ie. transformed like path tranversal for 'file://' nor rendered. Or do I missed something ?