math mode can be escaped

[jtracey]

The module doesn't make any attempt to escape or reject $ characters. For example, !tex x $ x $ x will show the middle x as a text x, not a math x. If you enable the use_tex setting, this is a security problem (e.g., !tex $ \def\x{\x}\x $ will launch latex in an infinite loop). One of the following changes should be made:

• reject all strings with $
• escape all $ characters (this is trickier than it may seem, e.g. s.replace('$', '\$') would still allow an escape if s = "\$ \def\x{\x}\x \$")
• warn about the security implications of the use_tex setting