diff --git a/pkgs/development/python-modules/django-mdeditor/Bump-KaTeX-and-replace-bootcdn-with-jsdelivr.patch b/pkgs/development/python-modules/django-mdeditor/Bump-KaTeX-and-replace-bootcdn-with-jsdelivr.patch new file mode 100644 index 000000000000..28f7b182809f --- /dev/null +++ b/pkgs/development/python-modules/django-mdeditor/Bump-KaTeX-and-replace-bootcdn-with-jsdelivr.patch @@ -0,0 +1,63 @@ +From c5af641cccf663dffb4a47d32e28404f609badce Mon Sep 17 00:00:00 2001 +From: Tomo +Date: Sat, 12 Oct 2024 03:39:12 +0000 +Subject: [PATCH 1/2] chore(KaTeX): bump to 0.7.1 + +Many bugfixes. This KaTeX is still quite old, +but versions beyond this have backwards-incompatibilities +(starting in 0.8). +--- + mdeditor/static/mdeditor/js/editormd.js | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/mdeditor/static/mdeditor/js/editormd.js b/mdeditor/static/mdeditor/js/editormd.js +index be0005d..8aacb56 100644 +--- a/mdeditor/static/mdeditor/js/editormd.js ++++ b/mdeditor/static/mdeditor/js/editormd.js +@@ -4179,8 +4179,8 @@ + // 使用国外的CDN,加载速度有时会很慢,或者自定义URL + // You can custom KaTeX load url. + editormd.katexURL = { +- css : "//cdn.bootcdn.net/ajax/libs/KaTeX/0.3.0/katex.min", +- js : "//cdn.bootcdn.net/ajax/libs/KaTeX/0.3.0/katex.min" ++ css : "//cdn.bootcdn.net/ajax/libs/KaTeX/0.7.1/katex.min", ++ js : "//cdn.bootcdn.net/ajax/libs/KaTeX/0.7.1/katex.min" + }; + + editormd.kaTeXLoaded = false; +-- +2.46.2 + + +From 3d082a738262b057d33b9aa8c777d50113143952 Mon Sep 17 00:00:00 2001 +From: Tomo +Date: Mon, 7 Oct 2024 17:44:39 -0700 +Subject: [PATCH 2/2] fix(KaTeX): Use jsdelivr instead of bootcdn + +Bootcdn was compromised by a malicious actor: +https://sansec.io/research/polyfill-supply-chain-attack + +KaTeX recommends using jsdelivr, so I used that: +https://katex.org/docs/browser +--- + mdeditor/static/mdeditor/js/editormd.js | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/mdeditor/static/mdeditor/js/editormd.js b/mdeditor/static/mdeditor/js/editormd.js +index 8aacb56..a31e817 100644 +--- a/mdeditor/static/mdeditor/js/editormd.js ++++ b/mdeditor/static/mdeditor/js/editormd.js +@@ -4179,8 +4179,8 @@ + // 使用国外的CDN,加载速度有时会很慢,或者自定义URL + // You can custom KaTeX load url. + editormd.katexURL = { +- css : "//cdn.bootcdn.net/ajax/libs/KaTeX/0.7.1/katex.min", +- js : "//cdn.bootcdn.net/ajax/libs/KaTeX/0.7.1/katex.min" ++ css : "//cdn.jsdelivr.net/npm/katex@0.7.1/dist/katex.min.css", ++ js : "//cdn.jsdelivr.net/npm/katex@0.7.1/dist/katex.min.js" + }; + + editormd.kaTeXLoaded = false; +-- +2.46.2 + diff --git a/pkgs/development/python-modules/django-mdeditor/default.nix b/pkgs/development/python-modules/django-mdeditor/default.nix index 96b5c93bae2d..a495b41c892d 100644 --- a/pkgs/development/python-modules/django-mdeditor/default.nix +++ b/pkgs/development/python-modules/django-mdeditor/default.nix @@ -18,6 +18,10 @@ buildPythonPackage { hash = "sha256-t57j1HhjNQtBwlbqe4mAHQ9WiNcIhMKYmrZkiqh+k5k="; }; + patches = [ + ./Bump-KaTeX-and-replace-bootcdn-with-jsdelivr.patch + ]; + propagatedBuildInputs = [ django ]; # no tests