Component is susceptible to XSS

[dpikt]

I was using this component to render some user input- I didn't realize it was using innerHTML under the hood 😱

For example, you can enter the following into the demo:

<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" onload="document.body.style.backgroundColor = 'red';alert('Im a bunch of arbitrary javascript!!!');">

This is bad news.

I'm not sure if there's a way around this with the way this component currently renders Mathjax, but it should certainly be documented if it's a necessary consideration in using the component.

[mehdisadeghi]

Thanks for reporting @dpikt.

I'll get to it as soon as I can and sanitize the math source before adding it to the DOM. You can beat me to it by a PR of course 😉

[mehdisadeghi]

@dpikt it turns out it is not that easy task. Sanitizing the input will break MathML rendering. I'm looking for a better solution.

[mehdisadeghi]

@dpikt I used DOMPurify to sanitize the inputs. The problem should not happen again.