Loading...
 
Skip to main content

Custom Share Module 0.1dev

PluginFormula

  1. This should be merged/moved to Mod Formula
  2. The plugin system has since been improved to be able to deal with this type of security concern. We need a developer to volunteer to update the plugin and put it back in the main Tiki code base. If you are up for it, please see How to get commit access
  3. Please see more general information on doc:Math and dev:Math


Major Security Issue when used in Tiki < 3.0


Janko Heilgeist pointed out a major security problem with this plugin, when used in Tiki versions up tp tiki2.4. Unfortunately, it is not easy to fix. See the source code for details. As an interim measure, I have disabled the plugin. If you understand the issues involved and still want to use the plugin, you can enable it by editing your copy of the source.

This plugin renders formulas calling LaTeX, uses its syntax, and if it leave some exploitable hole, the plugin will be unsafe. In the other hand, if a LaTeX implementation have those "holes" closed it could be used and make safer the plugin.

Also could exist more programs/libraries that convert formulas to images to be used by the script with few changes.

But the main alternative today is instead of generating graphic with the formula is to generate MathML, a markup language for math symbols, that can be viewed with Netscape7+/Mozilla or with Internet Explorer with the ))MathPlayer(( plugin. There are some php libraries that can be used for this, i.e. ASCIIMath (a PHP library to render formulas using MathML but is a php port of a gpl code, so if it is used the plugin should not be included with normal Tiki distribution) or other alternatives.


However, since Tiki 3 allows validation of potentially unsafe plugins, this is no longer a major handicap to use this plugin in tiki3+ installations.


This plugin includes a mathematical formula in a wiki page.

This plugin works in Unix-style servers only. There is no Windows version of this plugin. If someone wants to contribute a port to mods.tiki.org, that would be welcome. See the comments below for what might need to be done.

Usage

{FORMULA()}formula{FORMULA}

"formula" is a formula written in LaTeX syntax. Some examples can be seen in this Wikipedia page.

Requirements


This plugin depends on external programs and will not work in php safe mode. At present only *nix servers can use it. Your path must include latex, dvips, the convert programs. Also the plugin comes from GPL'd code, and that conflicts with Tiki LGPL license.

Consequently, the plugin is not installed in Tiki by default, but will later (not currently) be found in the download wiki plugins section of http://mods.tiki.org.

Examples


{FORMULA()}e=mc^2{FORMULA} (render in text the formula)

{FORMULA()}\sqrt{2}\approx 1.4{FORMULA} (includes a .png showing that the square root of 2 is approx. 1.4)

Setup and Install Recipe


This recipe give the steps needed to set up and run the formula pluggin assuming you have root access on your server and tiki otherwise installed and running.

Check for the latex, dvips and convert commands with:
# which latex
# which dvips
# which convert

If you don't have one or more of them, you must install them. On RedHat, version8, these commands come from the tetex-dvips, tetex-fonts, tetex-latex and tetex packages. If your system does not have X installed, which can be the case for servers, you may also need to install the following rpms:
dialog
psutils
netpbm-progs
netpbm
ImageMagik
ghostscript
ghostscript-fonts
VFlib2
urw-fonts
Omni
cups-libs
gimp-print
XFree86-truetype-fonts
chkfontpath
XFree86-font-utils
XFree86-xfs

FIXME: This directoins are not correct if you get the plugin from mods.tiki.org. After the necessary support software is installed, install the plugin by coping the files into the necessary locations:

# cd <tiki-root-dir>/lib
# cp wiki-plugins-dist/wikiplugin_formula.php wiki-plugins/
# cp wiki-plugins-dist/tex2png .

Make sure tex2png has executable permission.

If you run into trouble you can debug it by running tex2png from the bash shell and looking at the output.

The server for Tikiwiki.org does not have the plugin insalled.

Development needed


The security problem, mentioned above and detailed in the source code is a big stumbling block. We need someone to figure out how to make this work without leaving a big open door for anyone to run any script on your server. Maybe we could start by looking at the way media wiki (the software used by wikipedia) handles the problem in their <math> syntax.

Comments regarding development of a Windows version of the Formula Plugin


probably renaming tex2png to tex2png.bat (well, and doing some adaptations like removing lines starting with #) and installing the windows port of latex, dvips and imagemagick/convert will be enough for it to run under windows, but can't assure it will work without trying.

Comment regarding performance

I couldn't get dvips on my host running (provider constraints), so I changed the script tex2png and it runs about 2 times faster:

Image
Copy to clipboard
5,7c5,8 < latex \$1 < dvips -E -f \$1.dvi > \$1.ps < convert -density 110 \$1.ps \$1.png --- > latex -halt-on-error \$1 > dvipng \$1.dvi -o \$1.tmp.png > convert -density 110 -trim \$1.tmp.png \$1.png > rm -rf \$1.tmp.png \$1.aux \$1.log \$1.dvi

Possible other way of getting Latex into TikiWiki


So here is a little trick I just found out which is easy to install and I think it should be a bit more secure than the Plugin from above. Let's review the step by step installation process:

Requirements

You will need to get the the ASCIIMathML javascript from here or directly download it from the respective download page

Installation

  1. Copy the ASCIIMathML.js into your TikiWiki installation directory under /path/to/tiki/lib to make it available for TikiWiki
  2. Now open up the header template in your favourite text editor. The header template is under /path/to/tiki/templates/header.tpl
  3. Edit the header file and add the following line:
header.tpl
Copy to clipboard
{* --- tikiwiki block --- *} <script type="text/javascript" src="lib/tiki-js.js"></script> <script type="text/javascript" src="lib/ASCIIMathML.js"></script> {include file="bidi.tpl"} <title>


The line which adds the javascript lib/ASCIIMathML.js right under the one for the tiki-js.js is the one you want to add. And than your are done and you can write latex right into your tiki 😛

Now you can go and try it out, edit any wiki entry and write a latex formula in between $ $ like inline latex style. Here is an example

latex example
Copy to clipboard
$\int_0^{\pi/2} \sin x\,dx=1$ $\frac{\partial \rho}{\partial t} + \nabla \cdot (\rho v) = 0$


I checked for the above security issue and this is not a problem with this implementation, since the javascript directly converts the latex to MathML. Also this should work on all major platforms: *nix, Linux, MacOS and Windows.
Have fun with this and please give feedback.

Feedback
xavi: Impressive! Thanks! Comments/concerns:

  • I'm concerned about the 150 kb default size of that additional js that will be loaded locally by each new visitor to the site. Isn't it too much footprint?
  • your link points to the version 1.4.7, which is GPL'd. However, I've just seen that there s a newer version (2.0.2 by the time of this writing), which moreover, it's LGPL'd, which makes it compatible with Tiki. Interesting....


Issues

  • xavi: using version 1.4.7 I get many popups from firefox (3.0.x under GNU/Linux, in case it matters) reporting that there is a slow script underway in the page, showing also this line:
    Copy to clipboard
    Script: http://localhost/tiki3svn/lib/ASCIIMathML.js:1486


    After some time, the ascii from the example above gets converted into nice equations:
    however, the popup requesting to stop the slow js seems to show up forever (I stopped the js after 5 times I saw the popup, a couple of minutes in total or so after the equations were parsed on the page.
    asciimathml_147_on_tiki3_example.png (16.69 Kb)

  • xavi: using version 2.0.2, I get the popup messages saying no responding script at several lines: 472 (several times), 276, 1565, 1452, 1474, .... Moreover, the code inside the Plugin CODE tags gets parsed also:
    asciimathml_202_firefox_error_ca.png (42.09 Kb)

Page last modified on Friday 20 September 2019 16:14:06 GMT-0000