| Age | Commit message (Collapse) | Author |
|---|
|
The fix for #8620 caused the mathjax script to be included
when the table of contents but not the body text of a page
contains math. But it broke the case where the table of
contents doesn't contain math but the page does.
This patch fixes the issue.
Closes #8967.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Guilhem Moulin noticed that the fix to CVE-2023-35936 was incomplete.
An attacker could get around it by double-encoding the malicious
extension to create or override arbitrary files.
$ echo '' >b.md
$ .cabal/bin/pandoc b.md --extract-media=bar
<p><img
src="bar/2a0eaa89f43fada3e6c577beea4f2f8f53ab6a1d.lua+%2f%2e%2e%2f%2e%2e%2fb%2elua" /></p>
$ cat b.lua
print "hello"
$ find bar
bar/
bar/2a0eaa89f43fada3e6c577beea4f2f8f53ab6a1d.lua+
This commit adds a test case for this more complex attack and fixes
the vulnerability. (The fix is quite simple: if the URL-unescaped
filename or extension contains a '%', we just use the sha1 hash of the
contents as the canonical name, just as we do if the filename contains
'..'.)
|
|
|
|
|
|
The substantive change here is the `-strue` will now work
instead of being interpreted as `-s -true`.
This is somewhat ad hoc, but I don't think we'll ever have
an output format named `rue`, so it's probably okay.
|
|
Previously if you did `pandoc -s -t bbb`, it would give you
an error about the missing bbb template instead of saying that
it's not a supported output format.
|
|
|
|
In 3.1.5 boolean arguments were allowed an optional argument
(true|false). This created a regression for uses of fused
short arguments, e.g. `-somyfile.html`, which was equivalent
to `-s -omyfile.html`, but now raised an error because
pandoc attempted to parse `o` as a boolean `true` or `false`.
This change adds a preprocessing step on the raw arguments
before they are sent to the option parser. In this preprocessing
step, `-somyfile.html` would be split into two arguments,
`-s` and `-omyfile.html`. The splitting happens when a
short boolean option is followed by another short option.
Closes #8956.
|
|
This was needed for old base versions only.
|
|
See #8889. The Taylor and Francis guide to JATS says that
`<code>` is block level and not intended to be used inline
within standard text.
|
|
Use ghc 9.2 to address #8955.
|
|
Thanks @fsoedjede
|
|
This should address the problem noted in #8947. With ghc 9.4+,
we were getting AVX instructions in the amd64 binary, which aren't
supported on older hardware. For maximum compatibility we switch
back to ghc 9.2, which doesn't cause the problem. However, we haven't
fully diagnosed the problem, and as documented ghc shouldn't be doing
this.
Note that this doesn't fix the similar problem for the Windows
build (#8955), since that uses stack; we'd need to switch to cabal or
use an older version of stackage lts.
|
|
|
|
|
|
It takes a boolean argument, and now that all of our boolean
flags take such an argument, we can make this one optional for
consistency.
|
|
Always give the name of the relevant argument.
See #8879.
|
|
Previously the backup PNG was exported even if an SVG was
present, but the SVG should be preferred.
Closes #7244.
|
|
|
|
Closes #8952.
|
|
This fixes a number of regressions from pandoc 2.x.
Properly handle caption, alt attribute in figures.
No longer treat a paragraph with a single image in it as a figure
(we have a dedicated Figure element now).
Closes #8930, closes #8871.
|
|
|
|
This reverts commit 3e870525da2f344dd439f7567ea834577d9a3a32.
|
|
|
|
This allows entities in wikilinks.
|
|
|
|
|
|
|
|
so the difference between line endings between Windows and Unix
is ignored.
This allows test output to be deterministic across OS versions.
|
|
so we can see exactly what dependencies this version was built with.
|
|
for SVG images in HTML5. Closes #8948.
Note that SelfContained does not have access to the writer
name, so we check for HTML5 by determining whether the document
starts with `<DOCTYPE! html>`. This means that inline SVG
won't be used when generating document fragments.
An API change could be contemplated to give more flexibility,
but this is okay for now.
|
|
The last release caused all math to be parsed as inline math.
Closes #8949.
|
|
Closes #8946.
|
|
|
|
Affects LaTeX writer.
|
|
Commit 921b0949f4400af2e602982806e48222b7611bd9 bumped the skylighting-core
version, which requires a newer version of xml-conduit than is available in
lts-21.0.
Bump the version in stack.yaml
|
|
|
|
|
|
|
|
|
|
|
