On 31/03/2024 15:25, Ihor Radchenko wrote:
Max Nikulin writes:
I think it is in the right direction.
- Manual needs update as well.
- I would explicitly stress that quotes causes undefined or even
dangerous behavior. See e.g. the last paragraph
https://specifications.freedesktop.org/desktop-entry-spec/latest/ar01s07.html
I have incorporated the above suggestions into the attached version of
the patch.
Thanks, I have not tried the updated patch in action, but it looks like
what I expect.
+++ b/etc/ORG-NEWS
@@ -13,6 +13,16 @@ Please send Org bug reports to mailto:emacs-orgmode@gnu.org.
* Version 9.7 (not released yet)
** Important announcements and breaking changes
+*** ~org-latex-to-mathml-convert-command~ and
~org-latex-to-html-convert-command~ shell-escape LaTeX code
+
+Previously, ~org-latex-to-mathml-convert-command~ and
+~org-latex-to-html-convert-command~ replaced %i placeholders with raw
+LaTeX fragment text, potentially triggering shell-expansion.
+
+Now, the %i placeholders are shell-escaped to prevent shell expansion.
+
+The existing customizations that assume no shell-escaping must be updated.
+
I would consider explicit mention of stripping quotes
+Previously, =%i= placeholders in the ~org-latex-to-mathml-convert-command~
and ~org-latex-to-html-convert-command~ user options were replaced
with raw LaTeX fragment text, potentially triggering shell-expansion
and incorrect result.
Now, the =%i= placeholders are shell-escaped to prevent shell expansion.
If you have single or double quotes around =%i= then update
customizations and remove quotes.
