HTML in Markdown doesn't work #1886

Ghost commented 2025年04月25日 09:44:59 +02:00

Comment

Why HTML in Markdown doesn't work in codeberg?

### Comment Why HTML in Markdown doesn't work in codeberg?

camelia commented 2025年04月26日 00:05:45 +02:00

What do you mean it does not work? Personally I have pieces of HTML in most of my project's READMEs and it works well

What do you mean it does not work? Personally I have pieces of HTML in most of my project's READMEs and it works well

Ghost commented 2025年04月26日 11:41:17 +02:00

Example:

# MDHacks

<a href="https://nogithub.codeberg.page">
 <img src="https://nogithub.codeberg.page/badge.svg" alt="Please don't upload to GitHub"></img>
</a>
<p>Fun markdown's hacks</p>
Hi, **MDHacks** is a repository that contain multiple & only markdown hacks!
For example, here it's a markdown hack:
<p id="body" type="text/html" style="font-weight:bold;font-style:italic;background-color:green;color:lightgreen;">
This is a markdown's hack.
</p>
## FAQ

❓How that works?
💡This works using **HTML, CSS** & pottentialy **JavaScript** because it's compactible with **Markdown**.
❓How to made this?
💡 To create your own markdown's hack, you need to make a HTML & CSS like...
`<p id="body" type="text/html" style="font-wegith:bold;font-style:italic;background:green;color:lightgreen;>Your text</p>`. For informations, always start a paragraph with `<p id="body" type="text/html" style="opacity: 0%;">AAAAAA</p>` as the document body.
Or another, you cannot use the `<style>` tag in **Markdown**, but in place, use the `style` argument inside your element.

More informations at https://codeberg.org/therealneca7/mdhacks.

Example: ```markdown # MDHacks <a href="https://nogithub.codeberg.page"> <img src="https://nogithub.codeberg.page/badge.svg" alt="Please don't upload to GitHub"></img> </a> <p>Fun markdown's hacks</p> Hi, **MDHacks** is a repository that contain multiple & only markdown hacks! For example, here it's a markdown hack: <p id="body" type="text/html" style="font-weight:bold;font-style:italic;background-color:green;color:lightgreen;"> This is a markdown's hack. </p> ## FAQ ❓How that works? 💡This works using **HTML, CSS** & pottentialy **JavaScript** because it's compactible with **Markdown**. ❓How to made this? 💡 To create your own markdown's hack, you need to make a HTML & CSS like... `<p id="body" type="text/html" style="font-wegith:bold;font-style:italic;background:green;color:lightgreen;>Your text</p>`. For informations, always start a paragraph with `<p id="body" type="text/html" style="opacity: 0%;">AAAAAA</p>` as the document body. Or another, you cannot use the `<style>` tag in **Markdown**, but in place, use the `style` argument inside your element. ``` More informations at <https://codeberg.org/therealneca7/mdhacks>.

camelia commented 2025年04月26日 14:57:21 +02:00

Yes, CSS and JS can't be injected because of the server CSP headers if I'm correct. It would open a huge attack surface otherwise.

Yes, CSS and JS can't be injected because of the server CSP headers if I'm correct. It would open a huge attack surface otherwise.

Ghost commented 2025年04月27日 08:48:48 +02:00

Why that will open a huge attack surface?

Why that will open a huge attack surface?

camelia commented 2025年04月27日 20:58:32 +02:00

@therealneca7 wrote in #1886 (comment):

Why that will open a huge attack surface?

Well, if you can include custom scripts in your markdown files, this means that you can execute arbitrary code in the browser of anyone visiting the page that renders your markdown file (which is precisely what CSP aims to prevent).
Similarly, if CSS is allowed outside of inline definitions, it is possible to completely break the layout of the page, since you can define CSS rules for body or other HTML elements.

@therealneca7 wrote in https://codeberg.org/Codeberg/Community/issues/1886#issuecomment-4021715: > Why that will open a huge attack surface? Well, if you can include custom scripts in your markdown files, this means that you can execute arbitrary code in the browser of anyone visiting the page that renders your markdown file (which is precisely what CSP aims to prevent). Similarly, if CSS is allowed outside of inline definitions, it is possible to completely break the layout of the page, since you can define CSS rules for `body` or other HTML elements.

Ghost commented 2025年04月28日 11:31:18 +02:00

kind, a markdown file that inject HyperText Markup Language, Cascading Style Sheets and JavaScript, which makes a custom page in the even website, even subdomain, even link?

kind, a markdown file that inject HyperText Markup Language, Cascading Style Sheets and JavaScript, which makes a custom page in the even website, even subdomain, even link?

D4llo commented 2025年05月01日 16:20:48 +02:00

You can edit a custom page (i.e. codeberg.page) any way you want, but you can't do whatever you like with the md render inside codeberg.org. And yes you can have a custom page, even subdomain with a custom domain. see https://docs.codeberg.org/codeberg-pages/using-custom-domain/

You can edit a custom page (i.e. codeberg.page) any way you want, but you can't do whatever you like with the md render inside codeberg.org. And yes you can have a custom page, even subdomain with a custom domain. see https://docs.codeberg.org/codeberg-pages/using-custom-domain/

Ghost commented 2025年05月01日 17:54:42 +02:00

no kind in https://codeberg.org/example-user/example-repo (thats a example account & example repository created by me) and the README.md injects HTML, CSS & JavaScript. It is possible?

no kind in <https://codeberg.org/example-user/example-repo> (thats a example account & example repository created by me) and the `README.md` injects HTML, CSS & JavaScript. It is possible?

camelia commented 2025年05月01日 23:05:43 +02:00

@therealneca7 wrote in #1886 (comment):

no kind in https://codeberg.org/example-user/example-repo (thats a example account & example repository created by me) and the README.md injects HTML, CSS & JavaScript. It is possible?

I don't think so. You can, of course, use inline style definitions, but more than that would cause many security concerns, as explained here. For instance, imagine, if you had the following line in your README.md:

<style>
body {
 display: none !important;
}
</style>

It would make the whole page disappear every time someone clicks on your repository! And you could do much more damage by injecting JavaScript, since it would execute actual code every time the page that renders your README is loaded.

@therealneca7 wrote in https://codeberg.org/Codeberg/Community/issues/1886#issuecomment-4061237: > no kind in https://codeberg.org/example-user/example-repo (thats a example account & example repository created by me) and the `README.md` injects HTML, CSS & JavaScript. It is possible? I don't think so. You can, of course, use inline style definitions, but more than that would cause many security concerns, as [explained here](https://codeberg.org/Codeberg/Community/issues/1886#issuecomment-4025357). For instance, imagine, if you had the following line in your README.md: ```html <style> body { display: none !important; } </style> ``` It would make the whole page disappear every time someone clicks on your repository! And you could do much more damage by injecting JavaScript, since it would execute actual code every time the page that renders your README is loaded.

D4llo commented 2025年05月02日 09:22:15 +02:00

With JS injection, you could get user cookies, ouath, mining cryptocurrency, etc. so yes as @camelia said, not a good idea. If you want all of that use Codeberg's page https://codeberg.page/

With JS injection, you could get user cookies, ouath, mining cryptocurrency, etc. so yes as @camelia said, not a good idea. If you want all of that use Codeberg's page https://codeberg.page/

Ghost commented 2025年05月02日 16:13:25 +02:00

Okay. I will close this issue now.

Okay. I will close this issue now.