starred/markdownlint

Fork 0

mirror of https://github.com/DavidAnson/markdownlint.git synced 2026-04-25 09:16:02 +03:00

[GH-ISSUE #464] MD033: Add option to allow or prohibit html attributes #2232

New issue

Open

opened 2026-03-07 20:05:48 +03:00 by kerem · 5 comments

kerem commented

2026-03-07 20:05:48 +03:00

Owner

Originally created by @FrancisVila on GitHub (Dec 9, 2021).
Original GitHub issue: https://github.com/DavidAnson/markdownlint/issues/464

I'd like to set the markdownlint.json file so that it allows HTML tags such as <table>, <tr>, <td>... tags, but prohibits any attributes like onclick or onmouseover. I've found the "MD033": { "allowed_elements": ["table", "tr"]} entry, but no way of banning or allowing specific attributes within those tags.

I would like to have something like:

"MD033": { 
   "allowed_elements": ["table", "tr"], 
   "allowed_attributes": ["class", "style"]
}

Why: I want to avoid the risk of accidentally letting through malicious code inside Pull Requests. I'm also converting docs from XHTML generated by Madcap Flare into markdown. Some of the tables are complex, with tables inside tables, multiple uses of colspan and rowspan. I am setting aside such tables from the conversion process (I'm using pypandoc in python, a thin wrapper for pandoc).

Originally created by @FrancisVila on GitHub (Dec 9, 2021). Original GitHub issue: https://github.com/DavidAnson/markdownlint/issues/464 I'd like to set the markdownlint.json file so that it allows HTML tags such as `<table>`, `<tr>`, `<td>`... tags, but prohibits any attributes like `onclick `or `onmouseover`. I've found the `"MD033": { "allowed_elements": ["table", "tr"]}` entry, but no way of banning or allowing specific attributes within those tags. I would like to have something like: ``` "MD033": { "allowed_elements": ["table", "tr"], "allowed_attributes": ["class", "style"] } ``` Why: I want to avoid the risk of accidentally letting through malicious code inside Pull Requests. I'm also converting docs from XHTML generated by Madcap Flare into markdown. Some of the tables are complex, with tables inside tables, multiple uses of colspan and rowspan. I am setting aside such tables from the conversion process (I'm using pypandoc in python, a thin wrapper for pandoc).

kerem added the

enhancement

label

2026-03-07 20:05:48 +03:00

kerem commented

2026-03-07 20:05:49 +03:00

Author

Owner

@DavidAnson commented on GitHub (Dec 9, 2021):

You may be able to block "onclick" today via MD044 by saying the preferred form is "OnClIcK": https://github.com/DavidAnson/markdownlint/blob/main/doc/Rules.md#md044---proper-names-should-have-the-correct-capitalization

@DavidAnson commented on GitHub (Dec 9, 2021): You **may** be able to block "onclick" today via MD044 by saying the preferred form is "OnClIcK": https://github.com/DavidAnson/markdownlint/blob/main/doc/Rules.md#md044---proper-names-should-have-the-correct-capitalization

kerem commented

2026-03-07 20:05:49 +03:00

Author

Owner

@FrancisVila commented on GitHub (Dec 10, 2021):

Thanks, I'll try that!

@FrancisVila commented on GitHub (Dec 10, 2021): Thanks, I'll try that!

kerem commented

2026-03-07 20:05:50 +03:00

Author

Owner

@FrancisVila commented on GitHub (Dec 10, 2021):

Yes, 'MD044': {'names': ['OnClIcK']}, does issue a warning for <a href="#" onclick="alert('HHHH')">AAA</a>

BUT

<a href="#" OnClIcK="alert('toto')">EEEEEEEEEEE</a>
produces an alert, the same as
<a href="#" onclick="alert('toto')">EEEEEEEEEEE</a>

So someone knowing the trick could look up the .markdownlint file and check the specified capitalization...

@FrancisVila commented on GitHub (Dec 10, 2021): **Yes**, `'MD044': {'names': ['OnClIcK']},` does issue a warning for `<a href="#" onclick="alert('HHHH')">AAA</a>` **BUT** `<a href="#" OnClIcK="alert('toto')">EEEEEEEEEEE</a>` produces an alert, the same as `<a href="#" onclick="alert('toto')">EEEEEEEEEEE</a>` So someone knowing the trick could look up the `.markdownlint` file and check the specified capitalization...

kerem commented

2026-03-07 20:05:50 +03:00

Author

Owner

@DavidAnson commented on GitHub (Dec 10, 2021):

Someone who wants to bypass the rules can disable them with a comment. :) The linter is meant to help well-meaning people and is not a security boundary.

@DavidAnson commented on GitHub (Dec 10, 2021): Someone who wants to bypass the rules can disable them with a comment. :) The linter is meant to help well-meaning people and is not a security boundary.

kerem commented

2026-03-07 20:05:50 +03:00

Author

Owner

@FrancisVila commented on GitHub (Dec 10, 2021):

Thanks David, I'll use that argument to justify adapting the .markdownlint file in my repo.

@FrancisVila commented on GitHub (Dec 10, 2021): Thanks David, I'll use that argument to justify adapting the .markdownlint file in my repo.