Install MathJAX plugin on wordpress



7 years ago
5 years ago


(Reporter: mfuller, Assigned: dmaher)




(1 attachment)



7 years ago
+++ This bug was initially created as a clone of Bug #694700 +++

Could you please install MathJax plugin for latex math on the blog of metrics wordpress blog?

Thank you

Comment 1

7 years ago
I've completed this review - below are some notes for the person who will be installing this plugin.

- Do not install it via WordPres' "add plugin" page. Instead, download the source from the MathJax website ( and copy it to the plugin directory or another folder within the /www/wordpress root.
- Only load the plugin when it is needed (via the JavaScript src in the post itself). This will also improve load times on pages the plugin isn't needed.
- The plugin directory (wherever you save it) should not allow directory listing
- Delete the file "" in /docs/source. It's not needed and exposes unnecessary code.

I am attaching my full notes as an attachment for archiving purposes, but the above points are the focus.

Comment 2

7 years ago
Created attachment 637623 [details]
Security Review Notes
From a maintainability perspective I can't justify plugins having unique/different deployment methodologies. We don't (can't) use the built-in installer/updater, so that's not an issue... my concerns are around the other points.

It sounds to me like you're saying we should make the plugin available but then not activate it anywhere, and authors will be expected to manually insert the proper HTML to load the relevant .js file at edit-time. I can't see this being very usable... Wordpress has a habit of wiping out custom HTML if anyone touches the WYSIWYG editor. Meaning, posts using this would have to be done almost entirely via direct HTML coding. If's also somewhat questionable if all potential users of this would have the knowledge/experience to do this properly.

This would also make it difficult to determine which blogs are using the plugin- currently we can craft a DB query for this... but if the plugin isn't technically "enabled" for a blog, that won't work. We would have to crawl every post in every blog.

Another issue is that once it's installed I can't really enforce a rule saying that blog admins cannot "enable" it. If it's installed, they can enable it.

This would also make CDN configuration more problematic (we've started work on making use a CDN). If posts are simply hard-coding paths to specific URLs, we can't use something like WP Super Cache or W3TC to redirect them to a CDN as we were planning.

If this is what we want to do, I would prefer to just use the provided upstream CDN instance rather than munge in something to our WP install. This solves the latter 3 concerns, and has no significant effect on the first one.

Failing that my next choices in order of preference would be:

Use this like a normal WP plugin (install/enable/use), or

Set this up someplace else entirely, not within WP/blogmo- like the upstream CDN instance, but Mozilla-controlled. Authors would still need to load the javascript by hand in the necessary posts.

Any thoughts on this?


7 years ago
Assignee: server-ops → nmaul

Comment 4

7 years ago
That point is actually from the MathJax documentation -> although it is a "plugin", it's really just a bunch of JavaScript files that can be called on the page. The documentation recommends not loading it on every page, although, if that's what you need to do to make it simpler for the blog authors, it does not raise a security concern. There is no real "activation" for this plugin, rather you just add the script link at the top of the post which allows you to use the special characters to create math formulas.

You can also use a CDN as long as we have control of that CDN (I'm assuming we would). The reference I made to the CDN is MathJax's CDN hosted off-site which could cause cross-domain script issues especially since we don't control that source, yet we are trusting it.

Let me know if this makes sense. There are more installation instructions on the MathJax documentation page, but it looks like your install steps would be:

- Download the ZIP
- Extract it to a folder on the /wordpress root (can be in "plugins" for simplicity)
- Add a link to the mathjax js via some form of include or in WordPress by adding it to the top of each post (either automatically or manually).
- The author simply uses it by typing the special formula characters as MathJax defines.

From a security standpoint, it doesn't matter how you get it to work, as long as there are no third-party resources in use (the JS must be hosted locally or on our CDN).
Okay that helps, thanks.

This plugin would be my ideal scenario:

It appears to be configurable in terms of where it gets MathJax from (local, MathJax CDN, or a custom URL), claims to only load it when the page calls for it, we can deploy it like any other WP plugin, and it sounds like it will require no special actions by the post Author(s).

Any thoughts on this wrapper?

Comment 6

7 years ago
That works well, although make sure that when it is configured, the content is retrieved locally (not the MathJax CDN). This will mean you have to download the needed JS separately and save it on the server and then set up through the plugin the ability to talk with that local JS copy. The reason I originally reviewed the file itself is because it was version 2.0, and this plugin appears to be 1.0, although I see no major differences that would cause security issues (functionality is still the same).


7 years ago
Whiteboard: [pending secreview][Q3][good first bug] → [Q3][good first bug]
Whiteboard: [Q3][good first bug]
Excellent, I'm happy with that.

Summary: We will:

1) install

2) configure it to use a *local* copy of the JS files (*not* MathJax CDN), right on blogmo. This entails a separate download apart from the plugin, but should otherwise be straightforward.

3) Activate it for the Metrics blog here:

Moving to the WebOps component and unassigning... anyone on WebOps should be able to take care of this. :)
Assignee: nmaul → server-ops-webops
Severity: minor → normal
Component: Server Operations → Server Operations: Web Operations
Priority: P3 → --
QA Contact: phong → cshields
Assignee: server-ops-webops → dmaher


7 years ago

Comment 8

7 years ago
In stage:

1. Installed the mathjax-latex plugin via the SVN method (as normal).
2. Downloaded the separate JS package and configured the plugin to use it (instead of the CDN).
3. Activated for the metrics blog.

There are no obvious errors, and a test post on stage using the plugin syntax appeared to render the equation as expected.  Will proceed with prod.

Comment 9

7 years ago
Deployed and tested in prod - looks to be functional.

If you have any further comments or concerns, don't hesitate to let me know.  Have a good day !
Last Resolved: 7 years ago
Resolution: --- → FIXED

Comment 10

7 years ago
Thank you, I will note this in the original bug.
Thanks all.
Component: Server Operations: Web Operations → WebOps: Other
Product: → Infrastructure & Operations
You need to log in before you can comment on or make changes to this bug.