Security setting #1771
Description
We have several features/features in waiting that should probably only be used when the LaTeX code is from a trusted source:
- embedding arbitrary images (Support \includegraphics #1620, merged) could be used for tracking users
- arbitrary
class/idattributes (Add \class and \cssId on non-strict mode #1437) could break pages with duplicateids in particular, allow unintended formatting (?) - arbitrary HTML (Add \html command to insert HTML #1596) could be a big security hole
I think we need some kind of security or trust option (like we did with strict) before these should be released. The simplest thing would be to have a Boolean trusted flag that turns on all of these features. Might we want more granularity? Maybe trusted: ['images', 'class'] turns on images + class but not ID and HTML?
Links and embedded images are quite different, so our existing URL restrictions don't suffice. On the other hand, we might want to replace our URL restrictions with this security/trust mechanism...? For example, we might want to allow images from http: but not file:, like we can do for links.