org-latex-to-mathml/html-convert-command: Prevent shell expansion

* lisp/org.el (org-create-math-formula): (org-format-latex-as-html): Shell-quote LaTeX fragment text when replacing %i placeholder. This prevents shell expansion of $... and similar constructs inside the code. (org-latex-to-mathml-convert-command): (org-latex-to-html-convert-command): Update the docstring. * etc/ORG-NEWS (~org-latex-to-mathml-convert-command~ and ~org-latex-to-html-convert-command~ shell-escape LaTeX code): Announce the breaking change. * doc/org-manual.org (LaTeX math snippets): Update example. Reported-by: Max Nikulin <manikulin@gmail.com> Link: https://orgmode.org/list/735645dd-1ddf-4579-a6dd-2700f3e83c94@gmail.com
2024-12-01 08:17:34 +00:00 · 2024-03-08 14:05:12 +03:00 · 2024-03-08 14:05:12 +03:00 · a698d073a1
commit a698d073a1
parent 1d86651bef
3 changed files with 25 additions and 12 deletions
--- a/doc/org-manual.org
+++ b/doc/org-manual.org
@ -15177,7 +15177,7 @@ document in one of the following ways:

  #+begin_src emacs-lisp
  (setq org-latex-to-mathml-convert-command
-        "latexmlmath \"%i\" --presentationmathml=%o")
+        "latexmlmath %i --presentationmathml=%o")
  #+end_src

  To quickly verify the reliability of the LaTeX-to-MathML
--- a/etc/ORG-NEWS
+++ b/etc/ORG-NEWS
@ -13,6 +13,20 @@ Please send Org bug reports to mailto:emacs-orgmode@gnu.org.

 * Version 9.7 (not released yet)
 ** Important announcements and breaking changes
+*** ~org-latex-to-mathml-convert-command~ and ~org-latex-to-html-convert-command~ may need to be adjusted
+
+Previously, =%i= placeholders in the
+~org-latex-to-mathml-convert-command~ and
+~org-latex-to-html-convert-command~ user options were replaced with
+raw LaTeX fragment text, potentially triggering shell-expansion and
+incorrect result.
+
+Now, the =%i= placeholders are shell-escaped to prevent shell
+expansion.
+
+If you have single or double quotes around =%i= then update
+customizations and remove quotes.
+
 *** Org mode faces are now consistently combined, with markup faces taking precedence over the containing element faces

 Previously, fontification of inline source blocks, macros, footnotes,
--- a/lisp/org.el
+++ b/lisp/org.el
@ -3266,7 +3266,9 @@ Replace format-specifiers in the command as noted below and use
 %j:     Executable file in fully expanded form as specified by
        `org-latex-to-mathml-jar-file'.
 %I:     Input LaTeX file in fully expanded form.
-%i:     The latex fragment to be converted.
+%i:     Shell-escaped LaTeX fragment to be converted.
+        It must not be used inside a quoted argument, the result of %i
+        expansion inside a quoted argument is undefined.
 %o:     Output MathML file.

 This command is used by `org-create-math-formula'.
@ -3275,7 +3277,7 @@ When using MathToWeb as the converter, set this option to
 \"java -jar %j -unicode -force -df %o %I\".

 When using LaTeXML set this option to
-\"latexmlmath \"%i\" --presentationmathml=%o\"."
+\"latexmlmath %i --presentationmathml=%o\"."
  :group 'org-latex
  :version "24.1"
  :type '(choice
@ -3288,15 +3290,12 @@ This command is very open-ended: the output of the command will
 directly replace the LaTeX fragment in the resulting HTML.
 Replace format-specifiers in the command as noted below and use
 `shell-command' to convert LaTeX to HTML.
-%i:     The LaTeX fragment to be converted.
+%i:     The LaTeX fragment to be converted (shell-escaped).
+        It must not be used inside a quoted argument, the result of %i
+        expansion inside a quoted argument is undefined.

 For example, this could be used with LaTeXML as
-\"latexmlc \\='literal:%i\\=' --profile=math --preload=siunitx.sty 2>/dev/null\".
-
-The LaTeX fragment is replaced as is, without escaping special shell
-syntax.  It may be necessary to use single-quotes around \\='%i\\=', not
-double-quotes.  Else a math fragment such as \"$y = 200$\" may be
-expanded to \" = 200\"."
+\"latexmlc literal:%i --profile=math --preload=siunitx.sty 2>/dev/null\"."
  :group 'org-latex
  :package-version '(Org . "9.4")
  :type '(choice
@ -16350,7 +16349,7 @@ inspection."
 			      (expand-file-name
 			       org-latex-to-mathml-jar-file))))
 		 (?I . ,(shell-quote-argument tmp-in-file))
-		 (?i . ,latex-frag)
+		 (?i . ,(shell-quote-argument latex-frag))
 		 (?o . ,(shell-quote-argument tmp-out-file)))))
 	 mathml shell-command-output)
    (when (called-interactively-p 'any)
@ -16418,7 +16417,7 @@ inspection."
  "Convert LATEX-FRAGMENT to HTML.
 This uses  `org-latex-to-html-convert-command', which see."
  (let ((cmd (format-spec org-latex-to-html-convert-command
-			  `((?i . ,latex-fragment)))))
+			  `((?i . ,(shell-quote-argument latex-fragment))))))
    (message "Running %s" cmd)
    (shell-command-to-string cmd)))