Allow safe HTML tags to be rendered in markdown readmes (BB-3562)

Issue #3538 duplicate
Jitbit Software
created an issue

This is more important than it sounds, please take a minute to read this guys :)

Other open-source hostings (codeplex, google-code, sourceforge, github etc etc etc) allow basic HTML-editing on project pages. So people can add "retweet" buttons, CSS tricks, JavaScript-demos and other cool stuff to their open-source project sites.

With Bitbucket - I have to host the site elsewhere, since you do not allow HTML on project pages.

Comments (20)

  1. David Chambers

    We would definitely like to offer this; I myself would find it very useful.

    Our concern is that since wikis and READMEs and the like are served from, any malicious JavaScript that managed to sneak through the defenses would have access to cookies. We've discussed this every few months for as long as I can remember. Last time it came up, though, @Brodie Rao mentioned a Python module he'd discovered which does whitelist-based escaping of HTML input, which might offer the necessary level of security.

    We'll keep you posted, though I can't imagine anyone on the team getting a chance to devote time to this for a couple of months at least.

  2. Jitbit Software reporter

    Thank you, I didn't know about the static hosting, thanks.

    A sample link you asked for - here's one of my Mercurial projects hosted at codeplex: (note the "retweet" button, and the "kick it" widget).

    If you're worried about JavaScript security - then do not allow JavaScript, just static HTML would be great!

  3. Jesper Noehr

    Cool, thanks for the example. The problem is obviously making sure you always sanitize correctly, as people always find ways to inject javascript into things. :-/

  4. Dylan Etkin
    • changed status to open

    Hi jitbit,

    We have plans to allow a subset of HTML to be rendered via README's in markdown.

    However we do not ever plan on allowing random JS to be executed on your repo landing page. The problem is really around security and XSRF.



  5. Charles Killian

    A useful thing that would at least work past some of my desires for html would be to support some of the markdown extensions (e.g. those of phpmarkdown, multimarkdown, or github markdown). In particular, I'd like to be able to easily link to headings, or locations on the page. I'm aware I could link to the id "#markdown-header-heading" but that's not convenient and not very standard. Another case recently was wanting to do either tables or definition lists in the wiki pages. And is there a convenient way to link to other wiki pages? Using relative urls seems to be the only option, but wikis feel like they should be more connected.

  6. M_A_K

    I'm aware I could link to the id "#markdown-header-heading" but that's not convenient and not very standard.

    The problem is, that "#markdown-header" does not work if text of the header is not in English (in Russian for example).

  7. Tom Roche

    I have several projects doing scientific computing about environmental aspects of N2O. Some of the data about which I write is best discussed using tables; pretty much all of it displays best with subscripts. Currently I

    1. use creole for my wikis, since that supports tables and subscripts.
    2. use markdown for my READMEs since that's what I started using (before I discovered its limitations) and I prefer its syntax.

    I would like to use one markup for both my wikis and READMEs, since I often find myself correcting "typos" == context-inappropriate syntax, but BB does not currently support creole READMEs. (Nor, IIRC, markdown for wikis.)

    I had considered converting all my READMEs+wikis to reStructuredText; unfortunately, while (IIUC) BB supports reST for both wikis and READMEs, BB-reST (i.e., BB's reStructuredText renderer) does not apparently support subscripts, though BB-reST does empirically support comments and tables. (I did not test definition lists.) In any case I very much prefer markdown's link syntax. (Apologies if the above is too off-topic for this issue.) Hence:

    • +1 for tables in BB-markdown!
    • +0.5 for definition lists in BB-markdown: I don't use them much, but they are useful.
    • +1 for comment tags in BB-markdown.
    • +2 for <sub> and <sup> in BB-markdown!
  8. Log in to comment