|
| From: | Max Nikulin |
| Subject: | Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command |
| Date: | Mon, 1 Apr 2024 17:29:40 +0700 |
| User-agent: | Mozilla Thunderbird |
On 31/03/2024 15:25, Ihor Radchenko wrote:
Max Nikulin writes:I think it is in the right direction. - Manual needs update as well. - I would explicitly stress that quotes causes undefined or even dangerous behavior. See e.g. the last paragraph https://specifications.freedesktop.org/desktop-entry-spec/latest/ar01s07.htmlI have incorporated the above suggestions into the attached version of the patch.
Thanks, I have not tried the updated patch in action, but it looks like what I expect.
+++ b/etc/ORG-NEWS @@ -13,6 +13,16 @@ Please send Org bug reports to mailto:emacs-orgmode@gnu.org.* Version 9.7 (not released yet)** Important announcements and breaking changes +*** ~org-latex-to-mathml-convert-command~ and ~org-latex-to-html-convert-command~ shell-escape LaTeX code + +Previously, ~org-latex-to-mathml-convert-command~ and +~org-latex-to-html-convert-command~ replaced %i placeholders with raw +LaTeX fragment text, potentially triggering shell-expansion. + +Now, the %i placeholders are shell-escaped to prevent shell expansion. + +The existing customizations that assume no shell-escaping must be updated. +
I would consider explicit mention of stripping quotes +Previously, =%i= placeholders in the ~org-latex-to-mathml-convert-command~ and ~org-latex-to-html-convert-command~ user options were replaced with raw LaTeX fragment text, potentially triggering shell-expansion and incorrect result. Now, the =%i= placeholders are shell-escaped to prevent shell expansion. If you have single or double quotes around =%i= then update customizations and remove quotes.
| [Prev in Thread] | Current Thread | [Next in Thread] |