From b2cf86b905ba953de11479f3e6446678a9741511 Mon Sep 17 00:00:00 2001
From: Arne Ludwig <arne.ludwig@posteo.de>
Date: Thu, 30 Jul 2015 11:44:47 +0200
Subject: [PATCH 1/3] Don't mind LaTeX commands beginning with bad names

---
 anki/latex.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/anki/latex.py b/anki/latex.py
index 0931e8cde..9793c55fc 100644
--- a/anki/latex.py
+++ b/anki/latex.py
@@ -78,9 +78,12 @@ def _buildImg(col, latex, fname, model):
     latex = latex.encode("utf8")
     # it's only really secure if run in a jail, but these are the most common
     tmplatex = latex.replace("\\includegraphics", "")
-    for bad in ("write18", "\\readline", "\\input", "\\include", "\\catcode",
-                "\\openout", "\\write", "\\loop", "\\def", "\\shipout"):
-        if bad in tmplatex:
+    for bad in ("write18", "\\\\readline", "\\\\input", "\\\\include",
+                "\\\\catcode", "\\\\openout", "\\\\write", "\\\\loop",
+                "\\\\def", "\\\\shipout"):
+        # don't mind if the sequence is only part of a command
+        bad_re = bad + "[^a-zA-Z]"
+        if re.search(bad_re, tmplatex):
             return _("""\
 For security reasons, '%s' is not allowed on cards. You can still use \
 it by placing the command in a different package, and importing that \

From d8d9bf4dcdd7e80c87595d07b846aee2e98a44cd Mon Sep 17 00:00:00 2001
From: Arne Ludwig <arne.ludwig@posteo.de>
Date: Thu, 30 Jul 2015 12:43:41 +0200
Subject: [PATCH 2/3] Extended LaTeX tests on bad commands

---
 tests/test_latex.py | 58 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)

diff --git a/tests/test_latex.py b/tests/test_latex.py
index 9599d4556..cb723461f 100644
--- a/tests/test_latex.py
+++ b/tests/test_latex.py
@@ -53,3 +53,61 @@ def test_latex():
     assert len(os.listdir(d.media.dir())) == 2
     assert stripHTML(f.cards()[0].q()) == "[latex]foo[/latex]"
     assert ".png" in oldcard.q()
+    # turn it on again so other test don't suffer
+    anki.latex.build = True
+
+def test_bad_latex_command_write18():
+    (result, msg) = _test_includes_bad_command("\\write18")
+    assert result, msg
+
+def test_bad_latex_command_readline():
+    (result, msg) = _test_includes_bad_command("\\readline")
+    assert result, msg
+
+def test_bad_latex_command_input():
+    (result, msg) = _test_includes_bad_command("\\input")
+    assert result, msg
+
+def test_bad_latex_command_include():
+    (result, msg) = _test_includes_bad_command("\\include")
+    assert result, msg
+
+def test_bad_latex_command_catcode():
+    (result, msg) = _test_includes_bad_command("\\catcode")
+    assert result, msg
+
+def test_bad_latex_command_openout():
+    (result, msg) = _test_includes_bad_command("\\openout")
+    assert result, msg
+
+def test_bad_latex_command_write():
+    (result, msg) = _test_includes_bad_command("\\write")
+    assert result, msg
+
+def test_bad_latex_command_loop():
+    (result, msg) = _test_includes_bad_command("\\loop")
+    assert result, msg
+
+def test_bad_latex_command_def():
+    (result, msg) = _test_includes_bad_command("\\def")
+    assert result, msg
+
+def test_bad_latex_command_shipout():
+    (result, msg) = _test_includes_bad_command("\\shipout")
+    assert result, msg
+
+def test_good_latex_command_works():
+    # inserting commands beginning with a bad name should not raise an error
+    (result, msg) = _test_includes_bad_command("\\defeq")
+    assert not result, msg
+    # normal commands should not either
+    (result, msg) = _test_includes_bad_command("\\emph")
+    assert not result, msg
+
+def _test_includes_bad_command(bad):
+    d = getEmptyCol()
+    f = d.newNote()
+    f['Front'] = u'[latex]%s[/latex]' % bad;
+    d.addNote(f)
+    q = f.cards()[0].q()
+    return ("'%s' is not allowed on cards" % bad in q, "Card content: %s" % q)
\ No newline at end of file

From b5f375cc243f6b75cb98ff6a7fb436bd6147090a Mon Sep 17 00:00:00 2001
From: Arne Ludwig <arne.ludwig@posteo.de>
Date: Thu, 30 Jul 2015 12:44:58 +0200
Subject: [PATCH 3/3] Adjusted code for bad latex commands to pass tests

---
 anki/latex.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/anki/latex.py b/anki/latex.py
index 9793c55fc..4b1913b68 100644
--- a/anki/latex.py
+++ b/anki/latex.py
@@ -78,11 +78,11 @@ def _buildImg(col, latex, fname, model):
     latex = latex.encode("utf8")
     # it's only really secure if run in a jail, but these are the most common
     tmplatex = latex.replace("\\includegraphics", "")
-    for bad in ("write18", "\\\\readline", "\\\\input", "\\\\include",
-                "\\\\catcode", "\\\\openout", "\\\\write", "\\\\loop",
-                "\\\\def", "\\\\shipout"):
+    for bad in ("\\write18", "\\readline", "\\input", "\\include",
+                "\\catcode", "\\openout", "\\write", "\\loop",
+                "\\def", "\\shipout"):
         # don't mind if the sequence is only part of a command
-        bad_re = bad + "[^a-zA-Z]"
+        bad_re = "\\" + bad + "[^a-zA-Z]"
         if re.search(bad_re, tmplatex):
             return _("""\
 For security reasons, '%s' is not allowed on cards. You can still use \