--- filter/tex/filter.php.orig	2009/02/17 05:24:35	1.18.4.4

+++ filter/tex/filter.php	2009/03/26 19:06:29	1.18.4.5

@@ -133,6 +133,16 @@

         $text = str_replace($matches[0][$i],$replacement,$text);

     }

+    // TeX blacklist. MDL-18552

+    $tex_blacklist = array(

+        'include','def','command','loop','repeat','open','toks','output',

+        'input','catcode','name','^^',

+        '\every','\errhelp','\errorstopmode','\scrollmode','\nonstopmode',

+        '\batchmode','\read','\write','csname','\newhelp','\uppercase',

+        '\lowercase','\relax','\aftergroup',

+        '\afterassignment','\expandafter','\noexpand','\special'

+    );

+

     // <tex> TeX expression </tex>

     // or <tex alt="My alternative text to be used instead of the TeX form"> TeX expression </tex>

     // or $$ TeX expression $$

@@ -155,6 +165,19 @@

           $align = "text-top";

           $texexp = preg_replace('/^align=top /','',$texexp);

         }

+    /// Check $texexp against blacklist (whitelisting could be more complete but also harder to maintain). MDL-18552

+        $invalidcommands = array();

+        foreach($tex_blacklist as $command) {

+            if (stristr($texexp, $command)) { /// Found invalid command. Annotate.

+                $invalidcommands[] = $command;

+            }

+        }

+        if (!empty($invalidcommands)) { /// Invalid commands found. Output error and continue with next TeX element

+            $invalidstr = get_string('invalidtexcommand', 'error', implode(', ', $invalidcommands));

+            $text = str_replace( $matches[0][$i], $invalidstr, $text);

+            continue;

+        }

+    /// Everything is ok, let's process the expression

         $md5 = md5($texexp);

         if (! $texcache = get_record("cache_filters","filter","tex", "md5key", $md5)) {

             $texcache->filter = 'tex';