KaTeX \sqrt symbol disappears when DOMPurify sanitize config in src/lib/markdown.ts strips SVG tags/attrs #1
Description
Hi maintainers,
I found an issue in a markdown rendering pipeline using marked + marked-katex-extension + katex + dompurify.
For expressions like $\sqrt{2}$, the square-root symbol does not appear at all.
Affected file
src/lib/markdown.ts
Root cause
In src/lib/markdown.ts, the DOMPurify whitelist allows MathML tags but does not allow KaTeX SVG output (svg/path + related attributes).
KaTeX uses SVG path for radical symbols, so sanitizer strips them and \sqrt disappears.
Current sanitize block (simplified):
const sanitized = DOMPurify.sanitize(html, {
ALLOWED_ATTR: [
"href", "target", "rel", "class", "src", "alt", "title",
"type", "checked", "disabled",
...MATH_ALLOWED_ATTRS,
],
ALLOWED_TAGS: [
"p", "br", "em", "strong", "code", "pre", "a", "ul", "ol", "li",
"blockquote", "h1", "h2", "h3", "h4", "h5", "h6", "hr", "img",
"table", "thead", "tbody", "tr", "th", "td", "div", "span", "input", "button",
...MATH_ALLOWED_TAGS,
],
});Steps to reproduce
- Render markdown with KaTeX extension (
output: "htmlAndMathml"). - Sanitize rendered HTML with DOMPurify config above (without SVG whitelist).
- Render
$\sqrt{2}$.
Actual behavior
The \sqrt symbol is missing entirely.
Expected behavior
The \sqrt symbol should be visible and rendered normally.
Suggested fix
Allow SVG tags and attributes in sanitizer config:
const sanitized = DOMPurify.sanitize(html, {
ALLOWED_ATTR: [
"href", "target", "rel", "class", "src", "alt", "title",
"type", "checked", "disabled",
"xmlns", "viewBox", "preserveAspectRatio", "d", "fill", "stroke", "transform", "width", "height",
...MATH_ALLOWED_ATTRS,
],
ALLOWED_TAGS: [
"p", "br", "em", "strong", "code", "pre", "a", "ul", "ol", "li",
"blockquote", "h1", "h2", "h3", "h4", "h5", "h6", "hr", "img",
"table", "thead", "tbody", "tr", "th", "td", "div", "span", "input", "button",
"svg", "path",
...MATH_ALLOWED_TAGS,
],
});After this change, \sqrt appears correctly.