Update all dependencies and fix HTML sanitization escape

.gitignore

@@ -1,2 +1,3 @@
-node_modules
-bundle.js
+/bundle.js
+/node_modules
+/package-lock.json

README.md

@@ -45,9 +45,11 @@ If you're using the default markdown-it parser, I also recommend the [github sty
 <link rel="stylesheet" href="https://cdn.jsdelivr.net/github-markdown-css/2.2.1/github-markdown.css"/>
 ```
 
-`KaTeX` options can be supplied with the second argument to use.
+By default KaTeX is in `throwOnError:false` mode, unlike its upstream
+behavior.  KaTeX options can be supplied with the second argument to `use`.
+
 ```javascript
-md.use(mk, {"throwOnError" : false, "errorColor" : " #cc0000"});
+md.use(mk, {errorColor: "#cc0000"});
 ```
 
 ## Examples
@@ -59,8 +61,8 @@ $\sqrt{3x-1}+(1+x)^2$
 ```
 
 ### Block
-Use two (`$$`) for block rendering. This mode uses bigger symbols and centers
-the result.
+Use two (`$$`) for block rendering. This mode uses bigger symbols and
+centers the result.
 
 ```
 $$\begin{array}{c}
@@ -92,3 +94,21 @@ KaTeX is based on TeX and LaTeX. Support for both is growing. Here's a list of
 currently supported functions:
 
 [Function Support in KaTeX](https://github.com/Khan/KaTeX/wiki/Function-Support-in-KaTeX)
+
+## News
+
+### Version 2.1.0
+
+ * KaTeX dependency updated to 0.16.x — fixes many rendering
+   problems.
+
+ * Behavior change from 2.0.3 and earlier: by default KaTeX is in
+   `throwOnError:false` mode.  This means KaTeX is responsible for the
+   rendering of syntactically invalid math as well as valid math.
+
+   If you set `throwOnError:true`, markdown-it-katex **will not**
+   catch the exception. You are responsible for handling invalid math
+   in this case.
+
+   This change fixes the XSS-with-invalid-math-markup bugs reported
+   against 2.0.3 and earlier.

index.js

@@ -155,18 +155,13 @@ function math_block(state, start, end, silent){
 module.exports = function math_plugin(md, options) {
     // Default options
 
-    options = options || {};
+    options = options ?? {};
+    options.throwOnError ??= false;
 
     // set KaTeX as the renderer for markdown-it-simplemath
     var katexInline = function(latex){
         options.displayMode = false;
-        try{
-            return katex.renderToString(latex, options);
-        }
-        catch(error){
-            if(options.throwOnError){ console.log(error); }
-            return latex;
-        }
+        return katex.renderToString(latex, options);
     };
 
     var inlineRenderer = function(tokens, idx){
@@ -175,17 +170,11 @@ module.exports = function math_plugin(md, options) {
 
     var katexBlock = function(latex){
         options.displayMode = true;
-        try{
-            return "<p>" + katex.renderToString(latex, options) + "</p>";
-        }
-        catch(error){
-            if(options.throwOnError){ console.log(error); }
-            return latex;
-        }
+        return "<p>" + katex.renderToString(latex, options) + "</p>";
     }
 
     var blockRenderer = function(tokens, idx){
-        return  katexBlock(tokens[idx].content) + '\n';
+        return katexBlock(tokens[idx].content) + '\n';
     }
 
     md.inline.ruler.after('escape', 'math_inline', math_inline);

package.json

@@ -1,11 +1,11 @@
 {
   "name": "markdown-it-katex",
-  "version": "2.0.3",
+  "version": "2.1.0",
   "description": "Fast math support for markdown-it with KaTeX",
   "main": "index.js",
   "scripts": {
     "watch": "watchify browser.js -o bundle.js -v",
-    "test": "node test/all.js"
+    "test": "tape test/*.js"
   },
   "repository": {
     "type": "git",
@@ -22,11 +22,11 @@
   "author": "[email protected]",
   "license": "MIT",
   "dependencies": {
-    "katex": "^0.6.0"
+    "katex": "^0.16.0"
   },
   "devDependencies": {
-    "markdown-it": "^6.0.0",
-    "markdown-it-testgen": "^0.1.4",
-    "tape": "^4.5.1"
+    "markdown-it": "^13.0.0",
+    "markdown-it-testgen": "^0.1.0",
+    "tape": "^5.6.0"
   }
 }