From dfbd2e27d3247fad237b8a4d49f8cf0a1585930b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Commaille?= <zecakeh@tedomum.fr>
Date: Wed, 8 May 2024 18:27:21 +0200
Subject: [PATCH] Add warning box
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr>
---
 content/client-server-api/modules/instant_messaging.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/content/client-server-api/modules/instant_messaging.md b/content/client-server-api/modules/instant_messaging.md
index 558a80e5..d396d20e 100644
--- a/content/client-server-api/modules/instant_messaging.md
+++ b/content/client-server-api/modules/instant_messaging.md
@@ -429,6 +429,15 @@ representation instead. Clients SHOULD, however, aim to support, at minimum, the
 basic LaTeX2e maths commands and the TeX maths commands, with the possible
 exception of commands that could be security risks.
 
+{{% boxes/warning %}}
+Certain commands, such as [those that can create macros](https://katex.org/docs/supported#macros),
+are potentially dangerous. Clients should either decline to process those
+commands, or should take care to ensure that they are handled in safe ways (such
+as by limiting recursion). In general, LaTeX commands should be filtered by
+allowing known-good commands rather than forbidding known-bad commands. Some
+LaTeX libraries may have options for doing this.
+{{% /boxes/warning %}}
+
 #### Server behaviour
 
 Homeservers SHOULD reject `m.room.message` events which don't have a