I have a small piece of HTML in my README.md which I use for extra styling but it is stripped out of my README for the project.
My other markdown based sites show it fine.
Example is at github.com/headsupdev/agile - see the 1 line of HTML completely ignored.
andydotxyz
All 16 comments
lts for less than sign
gts for greater than sign
description of unix style filter in README.md
filter lts file_in gts file_out
displays filter file_out
lts file_in gts gets tossed as html markup?
bardibardi
on 27 Jun 2012
The previous comment refers to something that may appear to be html but should be valid markdown and should not be stripped out.
bardibardi
on 5 Jul 2012
+1. I have an HTML table inside my markdown and Github seems to be stripping out all the style attributes on the cells or cell content. I would expect Github to preserve styling attributes within HTML blocks. The general markdown.css should still style the table in a general way (even, odd row colors, etc).
nvkelso
on 1 Aug 2013
+1. I find it very annoying that inline bits of HTML are stripped by gh-pages.
NWilson
on 4 Oct 2013
We do allow HTML in markdown documents, but we don't allow unsafe HTML tags and attributes (iframe, style). It's impossible to distinguish between legitimate use and abuse. Let us know if there's a specific tag or attribute that we should allow (as long as it can't be abused).
bkeepers
on 28 Jan 2014
I can understand disallowing e.g. <iframe> and <script> for security reasons, but how does the style attribute lead to abuse exactly?
This is pretty annoying.
mindplay-dk
on 29 Sep 2015
Because one can turn the font size 48 in a bright yellow, rendering any text illegible and burning holes in a hapless user's corneas.
gjtorikian
on 29 Sep 2015
@mindplay-dk And because of Scriptless attacks :stuck_out_tongue_winking_eye:
pchaigno
on 29 Sep 2015
Because one can turn the font size 48 in a bright yellow, rendering any text illegible and burning holes in a hapless user's corneas.
Yeah, that's hardly a _security_ concern - and, I can do all of that with a large, ugly image, which no one's trying to stop me from.
And because of Scriptless attacks
I'm sure you could address behavior, expression and url('javascript:...') attacks in IE without having to cripple standard HTML?
For instance, if you don't want people changing fonts or font-sizes, just use a simple whitelist allowing e.g. float, width, height, text-align and other basic layout properties...
mindplay-dk
on 30 Sep 2015
+1 for the whiltelist
fsantanna
on 6 Feb 2016
abbr would be really nice, too.
chriskrycho
on 30 Dec 2016
This is probably futile, due to the standardization of GitHub Flavored CommonMark, but I would love to be able to use <small></small>. You could set it to an absolute pixel size in CSS (rather than a sub-100 percentage) to prevent abuse by nesting multiple smalls.
75th
on 13 Feb 2018
در تاریخ ۱۴ فوریهٔ ۲۰۱۸ ۰:۴۲، "Lanny Heidbreder" notifications@github.com
نوشت:
I would love to be able to use .
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/github/markup/issues/119#issuecomment-365405719, or mute
the thread
https://github.com/notifications/unsubscribe-auth/Ag267c8F80sh97WwKsyDzvC6qiXXF-5Sks5tUfq5gaJpZM4AC5qV
.
3572
on 13 Feb 2018
Maybe we could have some of the not-too-dangerous parameters like:
- padding-left;
- padding-right;
- margin-left;
- margin-right;
- text-align;
and so on, just to layout text and images the way we want. That'd be a start :D
ghost
on 27 Sep 2018
can this be re-opened?
SimonCropp
on 17 Dec 2018
As @mindplay-dk said, why not allow inline CSS / CSS but with only whitelisted declarations?
Berkmann18
on 7 Feb 2019
Related issues
madikhan1
·
3Comments
Istiakmorsalin
·
4Comments
HyoKim
·
5Comments
Alhadis
·
6Comments
woodruffw
·
6Comments
Most helpful comment
abbrwould be really nice, too.