Appropriateness for displaying user-submitted LaTeX

[JeffreyOfYOSPOS]

I am running forum software and wish to allow users to include LaTeX in posts. I have a basic implementation running using katex directly. I see that this project builds on top of katex. I have a couple questions:

1. What are the broad-strokes differences between katex and this? What do you handle that isn't handled by katex?
2. I see katex has security settings - it runs with "trusted = false" by default, which blocks things like \includegraphics that are inappropriate for user-submitted content. Do you plan on making this distinction in your own codebase? I see that you call katex without changing the "trusted" setting, but is this something that might change in the future? Is it safe to pass user-submitted latex through latex.js and display the output as is? I would probably need to enhance this to provide a "maxSize" to katex, so users can't create arbitrarily large posts in an attempt to DOS people reading the thread.
3. Are there any plans to support the "Auto-render Extension" plugin to katex? I found that useful for designating places in on my site where math might be found.

Thanks for any time you are willing to spend answering me - I appreciate the work you've put in already.

[michael-brade]

Hi,

1. KaTeX is only math with a few exceptions. And those are mainly so that you can include a bit of text in a math environment. LaTeX.js does everything else. Well, everything except stuff that I haven't implemented yet ;-)
2. good point! I didn't have to think about this yet because I am still working on \includegraphics. But so far I can't think of any security issues with LaTeX.js. But yes, I guess it makes sense to add a trusted setting to LaTeX.js as well soon.
3. Do you mean I should add an auto-render extension to LaTeX.js? That may be possible, but at the moment I use the little time I have to work on graphicx...