Attention
Version 3 is now the current version of MathJax. This document is for version 2.
MathJax Safe-mode
MathML includes the ability to specify hyperlinks within your
mathematics, and such links could be made to javascript:
URL’s.
For example, the expression
<math>
<mtext href="javascript:alert('Hello!')">Click Me</mtext>
</math>
would display the words “Click Me” that when clicked would generate an alert message in the browser. This is a powerful feature that provides authors the ability to tie actions to mathematical expressions.
Similarly, MathJax provides an HTML extension for the TeX language that allows you to include hyperlinks in your TeX formulas:
$E \href{javascript:alert("Einstein says so!")}{=} mc^2$
Here the equal sign will be a link that pops up the message about Einstein.
Both MathML and the HTML extension for TeX allow you to add CSS styles, classes, and id’s to your math elements as well. These features can be used to produce interactive mathematical expressions to help your exposition, improve student learning, and so on.
If you are using MathJax in a community setting, however, like a question-and-answer forum, a wiki, a blog with user comments, or other situations where your readers can enter mathematics, then your readers would be able to use such powerful tools to corrupt the page, or fool other readers into giving away sensitive information, or interrupt their reading experience in other ways. In such environments, you may want to limit these abilities so that your readers are protected form these kinds of malicious actions.
(Authors who are writing pages that don’t allow users to enter data on the site do not have to worry about such problems, as the only mathematical content will be their own. It is only when users can contribute to the page that you have to be careful.)
MathJax provides a Safe extension to help you limit your
contributors’ powers. There are two ways to load it. The easiest is
to add ,Safe
after the configuration file when you are loading
MathJax.js
:
<script src="https://example.com/MathJax.js?config=TeX-AMS_CHTML,Safe"></script>
This causes MathJax to load the TeX-AMS_CHTML
configuration file,
and then the Safe
configuration, which adds the Safe extension to
your extensions
array so that it will be loaded with the other
extensions.
Alternatively, if you are using in-line configuration, you could just
include "Safe.js"
in your extensions
array directly:
<script type="text/x-mathjax-config">
MathJax.Hub.Config({
jax: ["input/TeX","output/CommonHTML"],
extensions: ["tex2jax.js","Safe.js"]
});
</script>
<script src="https://example.com/MathJax.js"></script>
The Safe extension has a number of configuration options that let you fine-tune what is allowed and what is not. See the Safe extension options for details.