Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
rehype-raw
Advanced tools
The rehype-raw npm package is a plugin for rehype that allows you to parse and rehype raw HTML within markdown content. It is particularly useful when you want to mix markdown with HTML and need the HTML to be processed as part of the rehype pipeline.
Parsing HTML inside Markdown
This code demonstrates how rehype-raw can be used to parse HTML tags embedded within Markdown content, allowing for complex content structures that mix Markdown and HTML seamlessly.
import unified from 'unified';
import markdown from 'remark-parse';
import remark2rehype from 'remark-rehype';
import raw from 'rehype-raw';
import html from 'rehype-stringify';
unified()
.use(markdown)
.use(remark2rehype, {allowDangerousHtml: true})
.use(raw)
.use(html)
.process('# Hello world!\n\n<div>**bold text** inside HTML</div>', function (err, file) {
console.log(String(file));
});
Similar to rehype-raw, rehype-sanitize is a rehype plugin used to clean HTML within the documents. While rehype-raw parses raw HTML for further processing, rehype-sanitize focuses on ensuring the HTML is safe from XSS attacks, providing a layer of security by filtering out unwanted HTML tags and attributes.
rehype plugin to parse the tree (and raw nodes) again, keeping positional info okay.
This package is a unified (rehype) plugin to parse a document again.
To understand how it works, requires knowledge of ASTs (specifically, hast).
This plugin passes each node and embedded raw HTML through an HTML parser
(parse5
), to recreate a tree exactly as how a browser would parse
it, while keeping the original data and positional info intact.
unified is a project that transforms content with abstract syntax trees (ASTs). rehype adds support for HTML to unified. hast is the HTML AST that rehype uses. This is a rehype plugin that parses the tree again.
This plugin is particularly useful when coming from markdown and wanting to
support HTML embedded inside that markdown (which requires passing
allowDangerousHtml: true
to remark-rehype
).
Markdown dictates how, say, a list item or emphasis can be parsed.
We can use that to turn the markdown syntax tree into an HTML syntax tree.
But markdown also dictates that things that look like HTML, are passed through
untouched, even when it just looks like XML but doesn’t really make sense, so we
can’t normally use these strings of “HTML” to create an HTML syntax tree.
This plugin can.
It can be used to take those strings of HTML and include them into the syntax
tree as actual nodes.
If your final result is HTML and you trust content, then “strings” are fine
(you can pass allowDangerousHtml: true
to rehype-stringify
, which passes
HTML through untouched).
But there are two main cases where a proper syntax tree is preferred:
This plugin is built on hast-util-raw
, which does the work on
syntax trees.
rehype focusses on making it easier to transform content by abstracting such
internals away.
This package is ESM only. In Node.js (version 16+), install with npm:
npm install rehype-raw
In Deno with esm.sh
:
import rehypeRaw from 'https://esm.sh/rehype-raw@7'
In browsers with esm.sh
:
<script type="module">
import rehypeRaw from 'https://esm.sh/rehype-raw@7?bundle'
</script>
Say we have the following markdown file example.md
:
<div class="note">
A mix of *markdown* and <em>HTML</em>.
</div>
…and our module example.js
looks as follows:
import rehypeDocument from 'rehype-document'
import rehypeFormat from 'rehype-format'
import rehypeRaw from 'rehype-raw'
import rehypeStringify from 'rehype-stringify'
import remarkParse from 'remark-parse'
import remarkRehype from 'remark-rehype'
import {read} from 'to-vfile'
import {unified} from 'unified'
const file = await unified()
.use(remarkParse)
.use(remarkRehype, {allowDangerousHtml: true})
.use(rehypeRaw)
.use(rehypeDocument, {title: '🙌'})
.use(rehypeFormat)
.use(rehypeStringify)
.process(await read('example.md'))
console.log(String(file))
…now running node example.js
yields:
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>🙌</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<body>
<div class="note">
<p>A mix of <em>markdown</em> and <em>HTML</em>.</p>
</div>
</body>
</html>
This package exports no identifiers.
The default export is rehypeRaw
.
unified().use(rehypeRaw[, options])
Parse the tree (and raw nodes) again, keeping positional info okay.
options
(Options
, optional)
— configurationTransform (Transformer
).
Options
Configuration (TypeScript type).
passThrough
(Array<string>
, default: []
)
— list of custom hast node types to pass through (as in, keep); this option
is a bit advanced as it requires knowledge of ASTs, so we defer to the docs
in hast-util-raw
This package is fully typed with TypeScript.
It exports the additional type Options
.
The Raw
node type is registered by and exposed from
remark-rehype
.
Projects maintained by the unified collective are compatible with maintained versions of Node.js.
When we cut a new major release, we drop support for unmaintained versions of
Node.
This means we try to keep the current release line, rehype-raw@^7
, compatible
with Node.js 16.
The allowDangerousHtml
option in remark-rehype
is
dangerous, so see that plugin on how to make it safe.
Otherwise, this plugin is safe.
See contributing.md
in rehypejs/.github
for ways
to get started.
See support.md
for ways to get help.
This project has a code of conduct. By interacting with this repository, organization, or community you agree to abide by its terms.
FAQs
rehype plugin to reparse the tree (and raw nodes)
The npm package rehype-raw receives a total of 1,491,158 weekly downloads. As such, rehype-raw popularity was classified as popular.
We found that rehype-raw demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.