--- filter/tex/filter.php.orig

+++ filter/tex/filter.php

@@ -133,16 +133,6 @@ function tex_filter ($courseid, $text) {

         $text = str_replace($matches[0][$i],$replacement,$text);

     }

-    // TeX blacklist. MDL-18552

-    $tex_blacklist = array(

-        'include','def','command','loop','repeat','open','toks','output',

-        'input','catcode','name','^^',

-        '\every','\errhelp','\errorstopmode','\scrollmode','\nonstopmode',

-        '\batchmode','\read','\write','csname','\newhelp','\uppercase',

-        '\lowercase','\relax','\aftergroup',

-        '\afterassignment','\expandafter','\noexpand','\special'

-    );

-

     // <tex> TeX expression </tex>

     // or <tex alt="My alternative text to be used instead of the TeX form"> TeX expression </tex>

     // or $$ TeX expression $$

@@ -165,19 +155,6 @@ function tex_filter ($courseid, $text) {

           $align = "text-top";

           $texexp = preg_replace('/^align=top /','',$texexp);

         }

-    /// Check $texexp against blacklist (whitelisting could be more complete but also harder to maintain). MDL-18552

-        $invalidcommands = array();

-        foreach($tex_blacklist as $command) {

-            if (stristr($texexp, $command)) { /// Found invalid command. Annotate.

-                $invalidcommands[] = $command;

-            }

-        }

-        if (!empty($invalidcommands)) { /// Invalid commands found. Output error and continue with next TeX element

-            $invalidstr = get_string('invalidtexcommand', 'error', implode(', ', $invalidcommands));

-            $text = str_replace( $matches[0][$i], $invalidstr, $text);

-            continue;

-        }

-    /// Everything is ok, let's process the expression

         $md5 = md5($texexp);

         if (! $texcache = get_record("cache_filters","filter","tex", "md5key", $md5)) {

             $texcache->filter = 'tex';

--- filter/tex/latex.php.orig

+++ filter/tex/latex.php

@@ -44,9 +44,11 @@

          * @return string the latex document

          */

         function construct_latex_document( $formula, $fontsize=12 ) {

-            // $fontsize don't affects to formula's size. $density can change size

-

             global $CFG;

+

+            $formula = tex_sanitize_formula($formula);

+

+            // $fontsize don't affects to formula's size. $density can change size

             $doc =  "\\documentclass[{$fontsize}pt]{article}\n"; 

             $doc .=  $CFG->filter_tex_latexpreamble;

             $doc .= "\\pagestyle{empty}\n";

--- filter/tex/lib.php.orig

+++ filter/tex/lib.php

@@ -34,8 +34,22 @@ function tex_filter_get_executable($debug=false) {

     error($error_message1);

 }

+function tex_sanitize_formula($texexp) {

+    /// Check $texexp against blacklist (whitelisting could be more complete but also harder to maintain)

+    $tex_blacklist = array(

+        'include','def','command','loop','repeat','open','toks','output',

+        'input','catcode','name','^^',

+        '\every','\errhelp','\errorstopmode','\scrollmode','\nonstopmode',

+        '\batchmode','\read','\write','csname','\newhelp','\uppercase',

+        '\lowercase','\relax','\aftergroup',

+        '\afterassignment','\expandafter','\noexpand','\special'

+    );

+

+    return  str_ireplace($tex_blacklist, 'forbiddenkeyword', $texexp);

+}

 function tex_filter_get_cmd($pathname, $texexp) {

+    $texexp = tex_sanitize_formula($texexp);

     $texexp = escapeshellarg($texexp);

     $executable = tex_filter_get_executable(false);

--- lib/db/upgrade.php.orig

+++ lib/db/upgrade.php

@@ -3106,6 +3106,13 @@ function xmldb_main_upgrade($oldversion=0) {

         upgrade_main_savepoint($result, 2007101542);

     }

+    if ($result && $oldversion < 2007101545.01) {

+        require_once("$CFG->dirroot/filter/tex/lib.php");

+        filter_tex_updatedcallback(null);

+    /// Main savepoint reached

+        upgrade_main_savepoint($result, 2007101545.01);

+    }

+

     return $result;

 }

--- version.php.orig

+++ version.php

@@ -6,7 +6,7 @@

 // This is compared against the values stored in the database to determine

 // whether upgrades should be performed (see lib/db/*.php)

-    $version = 2007101540;  // YYYYMMDD      = date of the 1.9 branch (don't change)

+    $version = 2007101545.01;  // YYYYMMDD      = date of the 1.9 branch (don't change)

                             //         X     = release number 1.9.[0,1,2,3,4,5...]

                             //          Y.YY = micro-increments between releases