3

If I accept any input from the scary Internet to generate first a tex file and then a pdf using XeTeX in a server, is it enough to remove all backslashes and escape all the reserved characters #, %, $, _, ^, &, {, } as \#, \%, etc to be in the safe side?

Edit:

The backslash-removal and character-escaping is done just in the content part of the file, for instance:

\begin{document}

\maketitle

This is the user generated input with characters like \#, \%.

\end{document}
JPi
  • 13,595
Victor
  • 285
  • Why don't you just tell TeX to treat it as a string? – cfr Mar 23 '17 at 01:54
  • Sorry, I just edited the question to make it clear that the user generated input is just a part of the tex file. – Victor Mar 23 '17 at 02:02
  • With an engine like pdflatex you're pretty safe, unless you enable shell escapes and such. – JPi Mar 23 '17 at 02:28
  • Though I guess that directives can be used to change the engine if you compile it from an editor. – JPi Mar 23 '17 at 02:45
  • I don't understand why that would stop you treating it as a string. So long as the user-generated bit isn't to have anything which does anything, why can't you treat it as a string? @JPi Better to disable shell escape altogether. – cfr Mar 23 '17 at 02:57
  • I'm not sure you get anything sensible if you strip all backslashes from the input. What if the user wants to typeset a fraction? $\frac{1}{3}$ would become \$frac\{1\}\{3\}\$. – egreg Mar 23 '17 at 07:21
  • If you just want to include something verbatim, then include it between \begin{verbatim}...\end{verbatim} (in this case you have to make sure that the text does not contain a line with \end{verbatim}), or even better, put the external text into a file and include it verbatim. – gernot Mar 23 '17 at 08:16
  • @cfr How do you tell TeX to treat it as a string? – ShreevatsaR Mar 23 '17 at 16:28
  • Well, \string. But only for shortish things, of course. Otherwise verbatim or whatever. – cfr Mar 23 '17 at 22:55
  • @Victor I was going to answer this question but there is a lot I don't know. Anyway, if you don't care about how the content is typeset (as seems to be the case), then a different solution I would use, instead of escaping with backslashes, is to change the category code of every character (from 0 to 255) to "letter" (or at least, something innocuous). Then you can be sure that TeX will not treat it as a command, say. However, I don't know whether there exist any crashes or the like in TeX or XeTeX. Probably unlikely for plain TeX at least, but you may want to compile and run with afl-fuzz say. – ShreevatsaR Apr 02 '17 at 17:13

0 Answers0