Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
commonmark-react-renderer
Advanced tools
Renderer for CommonMark which returns an array of React elements, ready to be used in a React component. See react-markdown for such a component.
npm install --save commonmark-react-renderer
var CommonMark = require('commonmark');
var ReactRenderer = require('commonmark-react-renderer');
var parser = new CommonMark.Parser();
var renderer = new ReactRenderer();
var input = '# This is a header\n\nAnd this is a paragraph';
var ast = parser.parse(input);
var result = renderer.render(ast);
// `result`:
[
<h1>This is a header</h1>,
<p>And this is a paragraph</p>
]
Pass an object of options to the renderer constructor to configure it. Available options:
sourcePos
- boolean Setting to true
will add data-sourcepos
attributes to all elements, indicating where in the markdown source they were rendered from (default: false
).escapeHtml
- boolean Setting to true
will escape HTML blocks, rendering plain text instead of inserting the blocks as raw HTML (default: false
).skipHtml
- boolean Setting to true
will skip inlined and blocks of HTML (default: false
).softBreak
- string Setting to br
will create <br>
tags instead of newlines (default: \n
).allowedTypes
- array Defines which types of nodes should be allowed (rendered). (default: all types).disallowedTypes
- array Defines which types of nodes should be disallowed (not rendered). (default: none).unwrapDisallowed
- boolean Setting to true
will try to extract/unwrap the children of disallowed nodes. For instance, if disallowing Strong
, the default behaviour is to simply skip the text within the strong altogether, while the behaviour some might want is to simply have the text returned without the strong wrapping it. (default: false
)allowNode
- function Function execute if in order to determine if the node should be allowed. Ran prior to checking allowedTypes
/disallowedTypes
. Returning a truthy value will allow the node to be included. Note that if this function returns true
and the type is not in allowedTypes
(or specified as a disallowedType
), it won't be included. The function will get a single object argument (node
), which includes the following properties:
type
- string The type of node - same ones accepted in allowedTypes
and disallowedTypes
renderer
- string The resolved renderer for this nodeprops
- object Properties for this nodechildren
- array Array of childrenrenderers
- object An object where the keys represent the node type and the value is a React component. The object is merged with the default renderers. The props passed to the component varies based on the type of node. See the Type renderer options
section below for more details.transformLinkUri
- function|null Function that gets called for each encountered link with a single argument - uri
. The returned value is used in place of the original. The default link URI transformer acts as an XSS-filter, neutralizing things like javascript:
, vbscript:
and file:
protocols. If you specify a custom function, this default filter won't be called, but you can access it as require('commonmark-react-renderer').uriTransformer
. If you want to disable the default transformer, pass null
to this option.transformImageUri
- function|null Function that gets called for each encountered image with a single argument - uri
. The returned value is used in place of the original.linkTarget
- string A string to be used in the anchor tags target
attribute e.g., "_blank"
Note: Inline HTML is currently broken
isBlock
- boolean true
if type is HtmlBlock
, false
otherwiseescapeHtml
- boolean Same as renderer option, see aboveskipHtml
- boolean Same as renderer option, see aboveliteral
- string The HTML fragmentlanguage
- string Language info tag, for instance ```js would set this to js
. Undefined if the tag is not present in the source.literal
- string The string value of the code blockliteral
- string The string value of the inline codeinline
- boolean Always true. Present to allow reuse of the same renderer for both CodeBlock
and Code
.level
- number Heading level, from 1 to 6.children
- node One or more child nodes for the headingsoftBreak
- mixed Depending on the softBreak
setting of the actual renderer, either a given string or a React linebreak elementhref
- string URL for the linktitle
- string Title for the link, if anychildren
- node One or more child nodes for the linksrc
- string URL for the imagetitle
- string Title for the image, if anyalt
- string Alternative text for the image, if anystart
- number Start index of the listtype
- string Type of list (Bullet
/Ordered
)tight
- boolean Whether the list is tight or not (see [http://spec.commonmark.org/0.23/#lists](CommonMark spec) for more details)nodeKey
- string A key that can be used by React for the key
hintchildren
- node Child nodes of the current nodeliteral
- string A literal representation of the node, where applicabledata-sourcepos
- string If sourcePos
option is set, passed to all types and should be present in all the DOM-representations to signify the source position of this nodegit clone git@github.com:rexxars/commonmark-react-renderer.git
cd commonmark-react-renderer
npm install
npm test
MIT-licensed. See LICENSE.
FAQs
React renderer for CommonMark (rationalized Markdown)
The npm package commonmark-react-renderer receives a total of 17,236 weekly downloads. As such, commonmark-react-renderer popularity was classified as popular.
We found that commonmark-react-renderer demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.