Bookmarklet link in Markdown document

Question

How can I include a bookmarklet in a Markdown parsed document? Is there any "tag" for markdown that basically says "don't parse this"??

For example you could have something like:

<a href="javascript:function my_bookmarklet()
                {alert('Hello World');}
                my_bookmarklet();">Hello</a>

But if I try to past the javascript from that into a link in markdown like this:

[Hello World!](javascript:function my_bookmarklet(){alert('Hello World');}my_bookmarklet();)

You get a messed up link, like below.

[Hello World!](javascript:function my_bookmarklet(){alert('Hello World');}my_bookmarklet();)

Is there anyway around this?

And no, I'm not trying to put malicious bookmarklets in SO or anything, but I want to use markdown for my site and would like to post some bookmarklets I wrote.

Edit: I thought I had the answer...but now it seems I don't quite have it.

This seems to work great in WMD and showdown, but in the Markdown.php editor, it does not. Anyone have experience with Markdown.php specifically?

Zombo · Answer 1 · 2015-07-10T17:36:54.617

7

[Hello World!][1]
[1]:javascript:alert('Hello World')

edited Jul 10 '15 at 17:36

answered Dec 31 '11 at 06:53

Zombo

1
62
391
407

Yes! This is how you do it! Also works when formatted with the link on the next line (like `prettier` might do because of a long link. This also works in MDX documents where for some reason `` tags does not work. – Viktor Mar 05 '21 at 18:59

stevemegson · Accepted Answer · 2010-12-05T15:42:24.520

6

Markdown will leave any HTML alone, so you can just enter

<a href="javascript:function my_bookmarklet()
                {alert('Hello World');}
                my_bookmarklet();">Hello</a>

~~and get Hello.~~ Edit: No longer works on SO, which is a good thing

You can also escape special characters with a backslash (in this case it's seeing the ")"s in your Javascript as the end of the URL) and the link syntax will work:

[Hello](javascript:function my_bookmarklet(\){alert('Hello World'\);}my_bookmarklet(\);)

~~gives [Hello](javascript:function my_bookmarklet(){alert('Hello World');}my_bookmarklet();)~~

edited Dec 05 '10 at 15:42

answered Oct 14 '08 at 23:14

stevemegson

11,843
2
38
43

2

The default behaviour of Markdown is to leave inline HTML alone so the examples should work if you're using Markdown on your own site. However, any site displaying user-submitted content should be restricting the HTML that it allows through to protect against XSS. It's a small step from that `alert('Hello World')` example to hijacking other people's SO accounts. Looking back, I'm surprised that those examples originally worked in my answer. They really shouldn't have, and don't any more. – stevemegson Dec 05 '10 at 15:40

score 2 · Answer 3 · edited Feb 16 '23 at 10:03

I know this is a very old question, but (in case someone else finds their way here, as I did), if you url-encode your script, it will work.

For example:

[Hello World](javascript:%28function%28%29%7Balert%28%22Hello%20World%22%29%7D%29%28%29%3B)

And of course, as mentioned above, it does not work here, on SO.

Note: Some url-encoders will replace space (" ") with a "+", which works fine for regular urls, but not JS code, spaces should be replaced with "%20"

EDIT: This doesn't seem to be universally true. I suppose the specific markdown parser makes the final call here. But this works for me in more places where markdown is used.

Bookmarklet link in Markdown document

3 Answers3

Linked