1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
|
# markdown-rs
<!-- To do: enable image when repo is public. -->
<!-- <img align="right" width="106" height="106" alt="" src="https://raw.githubusercontent.com/wooorm/markdown-rs/14f1ad0/logo.svg?sanitize=true"> -->
<!-- To do: enable badges when repo is public/published -->
<!-- To do: link `Downloads`/`crate-badge` to `crate` instead of temporary site. -->
<!-- [![Build][build-badge]][build] -->
<!-- [![Downloads][crate-badge]][docs] -->
<!-- [![Coverage][coverage-badge]][coverage] -->
[![Chat][chat-badge]][chat]
CommonMark compliant markdown parser in Rust with ASTs and extensions.
## Feature highlights
* [x] **[compliant][commonmark]** (100% to CommonMark)
* [x] **[extensions][]** (100% GFM, 100% MDX, frontmatter, math)
* [x] **[safe][security]** (100% safe Rust, also 100% safe HTML by default)
* [x] **[robust][test]** (2300+ tests, 100% coverage, fuzz testing)
* [x] **[ast][mdast]** (mdast)
## When should I use this?
* If you *just* want to turn markdown into HTML (with maybe a few extensions)
* If you want to do *really complex things* with markdown
## What is this?
`markdown-rs` is an open source markdown parser written in Rust.
It’s implemented as a state machine (`#![no_std]` + `alloc`) that emits
concrete tokens, so that every byte is accounted for, with positional info.
The API then exposes this information as an AST, which is easier to work with,
or it compiles directly to HTML.
While most markdown parsers work towards compliancy with CommonMark (or GFM),
this project goes further by following how the reference parsers (`cmark`,
`cmark-gfm`) work, which is confirmed with thousands of extra tests.
Other than CommonMark and GFM, this project also supports common extensions
to markdown such as MDX, math, and frontmatter.
This Rust crate has a sibling project in JavaScript: [`micromark`][micromark]
(and [`mdast-util-from-markdown`][mdast-util-from-markdown] for the AST).
## Questions
* to learn markdown, see this [cheatsheet and tutorial][cheat]
* for the API, see the [crate docs][docs]
* for questions, see [Discussions][chat]
* to help, see [contribute][] or [sponsor][] below
## Contents
* [Install](#install)
* [Use](#use)
* [API](#api)
* [Extensions](#extensions)
* [Project](#project)
* [Overview](#overview)
* [File structure](#file-structure)
* [Test](#test)
* [Version](#version)
* [Security](#security)
* [Contribute](#contribute)
* [Sponsor](#sponsor)
* [Thanks](#thanks)
* [License](#license)
## Install
With [Rust][] (rust edition 2018+, ±version 1.56+), install with `cargo`:
```sh
cargo install markdown
```
## Use
```rs
extern crate markdown;
fn main() {
println!("{}", markdown::to_html("## Hello, *world*!"));
}
```
Yields:
```html
<h2>Hello, <em>world</em>!</h2>
```
Extensions (in this case GFM):
```rs
extern crate markdown;
fn main() -> Result<(), String> {
println!(
"{}",
markdown::to_html_with_options(
"* [x] contact@example.com ~~strikethrough~~",
&markdown::Options::gfm()
)?
);
Ok(())
}
```
Yields:
```html
<ul>
<li>
<input checked="" disabled="" type="checkbox" />
<a href="mailto:contact@example.com">contact@example.com</a>
<del>strikethrough</del>
</li>
</ul>
```
Syntax tree ([mdast][]):
```rs
extern crate markdown;
fn main() -> Result<(), String> {
println!(
"{:?}",
markdown::to_mdast("# Hey, *you*!", &markdown::ParseOptions::default())?
);
Ok(())
}
```
Yields:
```text
Root { children: [Heading { children: [Text { value: "Hey, ", position: Some(1:3-1:8 (2-7)) }, Emphasis { children: [Text { value: "you", position: Some(1:9-1:12 (8-11)) }], position: Some(1:8-1:13 (7-12)) }, Text { value: "!", position: Some(1:13-1:14 (12-13)) }], position: Some(1:1-1:14 (0-13)), depth: 1 }], position: Some(1:1-1:14 (0-13)) }
```
## API
`markdown-rs` exposes
[`to_html`](https://wooorm.com/markdown-rs/markdown/fn.to_html.html),
[`to_html_with_options`](https://wooorm.com/markdown-rs/markdown/fn.to_html_with_options.html),
[`to_mdast`](https://wooorm.com/markdown-rs/markdown/fn.to_mdast.html),
[`Options`](https://wooorm.com/markdown-rs/markdown/struct.Options.html),
and a few other structs and enums.
See the [crate docs][docs] for more info.
## Extensions
`markdown-rs` supports extensions to `CommonMark`.
These extensions are maintained in this project.
They are not enabled by default but can be turned on with options.
* frontmatter
* GFM
* autolink literal
* footnote
* strikethrough
* table
* tagfilter
* task list item
* math
* MDX
* ESM
* expressions
* JSX
It is not a goal of this project to support lots of different extensions.
It’s instead a goal to support very common and mostly standardized extensions.
## Project
`markdown-rs` is maintained as a single monolithic crate.
### Overview
The process to parse markdown looks like this:
```txt
markdown-rs
+-------------------------------------------------+
| +-------+ +---------+--html- |
| -markdown->+ parse +-events->+ compile + |
| +-------+ +---------+-mdast- |
+-------------------------------------------------+
```
### File structure
The files in `src/` are as follows:
* `construct/*.rs`
— CommonMark, GFM, and other extension constructs used in markdown
* `util/*.rs`
— helpers often needed when parsing markdown
* `event.rs`
— things with meaning happening somewhere
* `lib.rs`
— public API
* `mdast.rs`
— syntax tree
* `parser.rs`
— turn a string of markdown into events
* `resolve.rs`
— steps to process events
* `state.rs`
— steps of the state machine
* `subtokenize.rs`
— handle content in other content
* `to_html.rs`
— turns events into a string of HTML
* `to_mdast.rs`
— turns events into a syntax tree
* `tokenizer.rs`
— glue the states of the state machine together
* `unist.rs`
— point and position, used in mdast
### Test
`markdown-rs` is tested with the \~650 CommonMark tests and more than 1k extra
tests confirmed with CM reference parsers.
Then there’s even more tests for GFM and other extensions.
These tests reach all branches in the code, which means that this project has
100% code coverage.
Fuzz testing is used to check for things that might fall through coverage.
The following bash scripts are useful when working on this project:
* run examples:
```sh
RUST_BACKTRACE=1 RUST_LOG=debug cargo run --example lib
```
* format:
```sh
cargo fmt
```
* lint:
```sh
cargo fmt --check && cargo clippy --examples --tests --benches
```
* test:
```sh
RUST_BACKTRACE=1 cargo test
```
* docs:
```sh
cargo doc --document-private-items
```
* fuzz:
```sh
cargo install cargo-fuzz
cargo +nightly fuzz run markdown
```
### Version
`markdown-rs` follows [SemVer](https://semver.org).
### Security
The typical security aspect discussed for markdown is [cross-site scripting
(XSS)][xss] attacks.
Markdown itself is safe if it does not include embedded HTML or dangerous
protocols in links/images (such as `javascript:` or `data:`).
`markdown-rs` makes any markdown safe by default, even if HTML is embedded or
dangerous protocols are used, as it encodes or drops them.
Turning on the `allow_dangerous_html` or `allow_dangerous_protocol` options for
user-provided markdown opens you up to XSS attacks.
An aspect related to XSS for security is syntax errors: markdown itself has no
syntax errors.
Some syntax extensions (specifically, only MDX) do include syntax errors.
For that reason, `to_html_with_options` returns `Result<String, String>`, of
which the error is a simple string indicating where the problem happened, what
occurred, and what was expected instead.
Make sure to handle your errors when using MDX.
Another security aspect is DDoS attacks.
For example, an attacker could throw a 100mb file at `markdown-rs`, in which
case it’s going to take a long while to finish.
It is also possible to crash `markdown-rs` with smaller payloads, notably when
thousands of links, images, emphasis, or strong are opened but not closed.
It is wise to cap the accepted size of input (500kb can hold a big book) and to
process content in a different thread so that it can be stopped when needed.
For more information on markdown sanitation, see
[`improper-markup-sanitization.md`][improper] by [**@chalker**][chalker].
### Contribute
See [`contributing.md`][contributing] for ways to help.
See [`support.md`][support] for ways to get help.
See [`code-of-conduct.md`][coc] for how to communicate in and around this
project.
### Sponsor
Support this effort and give back by sponsoring:
* [GitHub Sponsors](https://github.com/sponsors/wooorm)
(personal; monthly or one-time)
* [OpenCollective](https://opencollective.com/unified) or
[GitHub Sponsors](https://github.com/sponsors/unifiedjs)
(unified; monthly or one-time)
### Thanks
Special thanks go out to:
* [Vercel][] for funding the initial development
* [**@Murderlon**][murderlon] for the design of the logo
* [**@johannhof**][johannhof] for the crate name
## License
[MIT][license] © [Titus Wormer][author]
<!-- To do: public/publish -->
<!-- [build-badge]: https://github.com/wooorm/markdown-rs/workflows/main/badge.svg -->
<!-- [build]: https://github.com/wooorm/markdown-rs/actions -->
<!-- [crate-badge]: https://img.shields.io/crates/d/markdown.svg -->
<!-- [crate]: https://crates.io/crates/markdown -->
[docs]: https://wooorm.com/markdown-rs/markdown/
[chat-badge]: https://img.shields.io/badge/chat-discussions-success.svg
[chat]: https://github.com/wooorm/markdown-rs/discussions
[commonmark]: https://spec.commonmark.org
[cheat]: https://commonmark.org/help/
[rust]: https://www.rust-lang.org
[xss]: https://en.wikipedia.org/wiki/Cross-site_scripting
[improper]: https://github.com/ChALkeR/notes/blob/master/Improper-markup-sanitization.md
[chalker]: https://github.com/ChALkeR
[license]: license
[author]: https://wooorm.com
[mdast]: https://github.com/syntax-tree/mdast
[micromark]: https://github.com/micromark/micromark
[mdast-util-from-markdown]: https://github.com/syntax-tree/mdast-util-from-markdown
[vercel]: https://vercel.com
[murderlon]: https://github.com/murderlon
[johannhof]: https://github.com/johannhof
[contribute]: #contribute
[sponsor]: #sponsor
[extensions]: #extensions
[security]: #security
[test]: #test
[contributing]: .github/contribute.md
[support]: .github/support.md
[coc]: .github/code-of-conduct.md
|