Spec bug: Arbitrary CSS classes from fenced code blocks

riking · September 3, 2014, 9:02pm

The spec says that the fenced code block info string is used to populate the class attribute of the <pre> tag.

An info string can be provided after the opening code fence. Opening and closing spaces will be stripped, and the first word is used here to populate the class attribute of the enclosing pre tag.

However, this is dangerous. Consider the following CSS and Markdown:

.spin {
  animation: spin 2s infinite linear;
}

```spin
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa (continued)
```
```spin
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa (continued)
```
```spin
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa (continued)
```

You now have the ability for people to cause visual “griefing” via constantly spinning lines of text.

It would be safer to put the info string into a data- attribute, or a prefixed CSS class.

zwol · September 3, 2014, 9:56pm

“Don’t do that then.” This is a job for a user-submitted-content sanitizer, not for Markdown proper. (In other words: if I’m the sole author of a document I ought to be able to set my CSS classes to whatever I damn well please.)

riking · September 3, 2014, 9:58pm

I’m still worried about conflicts, e.g. in cases like

```c
int main(void) {
    return 0;
}
```

What if you are using the .c class somewhere else?

It should use something like “code-c”.

Yes, but you can still do that with the HTML elements.

imsky · September 3, 2014, 10:00pm

There could be an unintentional name collision with existing classes on a page however. For example, reddit.com uses .title for various elements. If ```title results in <div class="title">, then that causes an issue.

poke · September 3, 2014, 10:08pm

That seems like a good idea, however I think that’s some kind of implementation detail that should be left to the implementation. I could imagine having a preference of some kind for “code class prefix” or something like that.

walle · September 4, 2014, 12:42am

This thread gives a pretty good solution.

Fenced code blocks should add class to `code` rather than `pre`, matching the HTML best practice

This means that
var x = 42;
Will not be translated to:

<pre class=“javascript”><code>var x = 42;</code></pre>

…anymore, but instead to:

<pre><code class=“language-javascript”>var x = 42;</code></pre>

Reason: this matches the convention set out in the HTML standard itself — look for the code example that looks something like this:

<pre><code class=“language-javascript”>
…
</code></pre>

If that is not convincing enough, note that this convention is supported by many syntax highlighting scripts written in JavaScript, e.g. highlight.js and google-code-prettify. Requiring Markdown implementations to output code that is recognized by these scripts is a major win.