docs: red CAUTION block for security warning, fix hallucinated Overleaf/Typst claim
Use GitHub's > [!CAUTION] admonition (renders with red background) for the trusted-environment security warning, matching the style used by Collabst. Remove invented claim that Overleaf is working on Typst support — that was a hallucination. Replace with a plain "Verso is built on Overleaf's infra" statement. Add RevealJS as a separate ecosystem project worth supporting. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
claude
@@ -152,19 +152,20 @@ Refinements to the Typst editor and the format badge system:
|
||||
|
||||
## Security model — trusted environments only
|
||||
|
||||
Verso is designed for **closed groups of trusted users** (a lab, a class, a small
|
||||
team). All three compilers can execute arbitrary code on the server:
|
||||
|
||||
- LaTeX with shell-escape enabled can run system commands.
|
||||
- Quarto Python cells execute Python code directly.
|
||||
- Typst's scripting layer is sandboxed by design, but runs server-side.
|
||||
|
||||
There is **no per-project sandbox or resource isolation** beyond what the
|
||||
operating system provides. Exposing Verso to the public internet with
|
||||
open registration is not recommended. If you need to host a collaborative
|
||||
LaTeX/Typst editor for untrusted users or at scale, look at
|
||||
[Overleaf's non-Community offerings](https://www.overleaf.com/for/enterprises),
|
||||
which include proper sandboxing and enterprise access controls.
|
||||
> [!CAUTION]
|
||||
> Verso is designed for **closed groups of trusted users** (a lab, a class, a
|
||||
> small team). All three compilers can execute arbitrary code on the server:
|
||||
>
|
||||
> - LaTeX with shell-escape enabled can run system commands.
|
||||
> - Quarto Python cells execute Python code directly.
|
||||
> - Typst's scripting layer is sandboxed by design, but runs server-side.
|
||||
>
|
||||
> There is **no per-project sandbox or resource isolation** beyond what the
|
||||
> operating system provides. Exposing Verso to the public internet with open
|
||||
> registration is not recommended. If you need to host a collaborative
|
||||
> LaTeX/Typst editor for untrusted users or at scale, look at
|
||||
> [Overleaf's non-Community offerings](https://www.overleaf.com/for/enterprises),
|
||||
> which include proper sandboxing and enterprise access controls.
|
||||
|
||||
---
|
||||
|
||||
@@ -263,15 +264,17 @@ Verso is not affiliated with Overleaf Ltd.
|
||||
Verso is not accepting contributions or donations at this time. If you find it
|
||||
useful and want to support the broader ecosystem it builds on:
|
||||
|
||||
- **Support Overleaf** — Overleaf is actively working on
|
||||
[Typst support](https://www.overleaf.com/blog/overleaf-and-typst) and
|
||||
RevealJS presentation features. The best way to support their work is to use
|
||||
or subscribe to [Overleaf](https://www.overleaf.com) and encourage your
|
||||
institution to do the same.
|
||||
- **Support Overleaf** — Verso is built on Overleaf's infrastructure. The best
|
||||
way to support their work is to use or subscribe to
|
||||
[Overleaf](https://www.overleaf.com) and encourage your institution to do the
|
||||
same.
|
||||
- **Support Typst** — [Typst GmbH](https://typst.app) is the company behind the
|
||||
Typst compiler. Using Typst.app or sponsoring the
|
||||
[Typst project on GitHub](https://github.com/typst/typst) helps sustain the
|
||||
language itself.
|
||||
- **Support RevealJS** — Verso uses [Reveal.js](https://revealjs.com) for
|
||||
HTML presentations. Consider sponsoring the
|
||||
[RevealJS project on GitHub](https://github.com/hakimel/reveal.js).
|
||||
|
||||
---
|
||||
|
||||
|
||||
Reference in New Issue
Block a user