54

This gives a pretty thorough description of how HTML elements are interpreted by Markdown. But it does not discuss styles.

So far, the only thing I can get to work is image width.

  1. I can't find a list anywhere of what is accepted/rendered
  2. It appears that the style="....." attribute is completely ignored.
  3. I can't even find a list of the old-fashioned style attributes (as opposed to the style attribute style=...)

https://gist.github.com/abalter/46df1b79e9f429342972477d7c20cebc

Change span to div due to div being in the whitelisted tags per @waylan's comment under @chris's answer.

It appears that Firefox and Chrome don't render any style attributes any more at all.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
abalter
  • 9,663
  • 17
  • 90
  • 145
  • 12
    "put on hold as unclear what you're asking" ==> The person who gave an answer understood exactly what I was asking. If you can think of a better way to ask, or have a question, please say so. – abalter Jun 30 '17 at 06:49
  • 4
    Yeah, This was a perfectly clear question to me as well. And I agree, the answer was exactly on point. For those who don't know that GitHub filters Markdown output, I suppose the question could be confusing. But if you know were to link to in the question (to give the needed context), then you will already have the source of the answer and not need to ask the question. – Waylan Jul 03 '17 at 17:08
  • 5
    Why is this question closed? I had the same question and this was the only resource I could find via google that actually answered it. This question is SO at its best, in my opinion. – davnicwil Sep 09 '19 at 06:59

1 Answers1

35

After GitHub converts Markdown to HTML,

The HTML is sanitized, aggressively removing things that could harm you and your kin—such as script tags, inline-styles, and class or id attributes.

The above excerpt used to also say "See the sanitization filter for the full whitelist," but that line has since been removed. The linked page itself says:

Although this project was started at GitHub, they no longer use it. This gem must be considered standalone and independent from GitHub.

Which is to say, the whitelist might very well have changed.

You're right: style tags are not included in the whitelist. They are ignored.

The permitted attributes differ by tag. I recommend referring to the sanitization filter link above. It leads to a fairly readable Ruby source file.

Inigo
  • 12,186
  • 5
  • 41
  • 70
ChrisGPT was on strike
  • 127,765
  • 105
  • 273
  • 257
  • So, if I'm interpreting `:all => ['abbr', ...` correctly, then both "color" and "border" should work. They did not work in my example. – abalter Jun 29 '17 at 17:50
  • 1
    Make note of the [elements whitelist](https://github.com/jch/html-pipeline/blob/master/lib/html/pipeline/sanitization_filter.rb#L45-L49). `span` is not on that list. In fact, if you check the HTML in your example (use "view source" in your browser), the span is completely stripted out. Only the text contents remain. I would suggest using one of the elements in the whitelist instead. – Waylan Jun 29 '17 at 18:03
  • Yes, good point Waylan. This isn't just about attributes, but whole tags as well. – ChrisGPT was on strike Jun 29 '17 at 18:19
  • I've changed `span` to `div` and I'm still not getting the styles. Also, `img` is in the tag list, but I'm not getting the styles for it either---except for the `width` old-fashioned inline attribute. – abalter Jun 30 '17 at 06:51
  • Now the HTML is rendering as `
    hello
    ` But none of the styles are displaying.     – abalter Jun 30 '17 at 06:57
  • 4
    Uh, it appears that firefox and chrome [don't render individual attributes any more at all](https://rawgit.com/abalter/46df1b79e9f429342972477d7c20cebc/raw/549d162d54b75883cb6763f0754e695352ab4d86/inline-style.html). So it doesn't matter if github has whitelisted them. – abalter Jun 30 '17 at 07:08