$ cnpm install mdast-util-to-hast
mdast-util-to-hast
mdast utility to transform to hast.
Note: You probably want to use
remark-rehype.
Install
This package is ESM only:
Node 12+ is needed to use it and it must be imported instead of required.
npm:
npm install mdast-util-to-hast
Use
Say we have the following example.md:
## Hello **World**!
…and next to it, example.js:
import fs from 'node:fs'
import {fromMarkdown} from 'mdast-util-from-markdown'
import {toHast} from 'mdast-util-to-hast'
import {toHtml} from 'hast-util-to-html'
const mdast = fromMarkdown(fs.readFileSync('example.md'))
const hast = toHast(mdast)
const html = toHtml(hast)
console.log(html)
Which when running with node example yields:
<h2>Hello <strong>World</strong>!</h2>
API
This package exports the following identifiers: toHast, all, one
There is no default export.
toHast(node[, options])
Transform the given mdast tree to a hast tree.
Options
options.allowDangerousHtml
Whether to allow html nodes and inject them as raw HTML
(boolean, default: false).
Only do this when using hast-util-to-html
(rehype-stringify) or hast-util-raw
(rehype-raw) later: raw nodes are not a standard part of
hast.
options.handlers
Object mapping mdast nodes to functions handling them.
Take a look at lib/handlers/ for examples.
options.passThrough
List of custom mdast node types to pass through (keep) in hast
(Array.<string>, default: []).
If the passed through nodes have children, those children are expected to be
mdast and will be handled.
options.unknownHandler
Handler for unknown nodes (that aren’t in handlers or passThrough).
Default behavior:
- Unknown nodes with
childrenare transformed todivelements - Unknown nodes with
valueare transformed totextnodes
Returns
Notes
yamlandtomlnodes are ignored (created byremark-frontmatter)htmlnodes are ignored ifallowDangerousHtmlisfalsepositions are properly patchednode.data.hNameconfigures the hast element’s tag-namenode.data.hPropertiesis mixed into the hast element’s propertiesnode.data.hChildrenconfigures the hast element’s children- GFM (and this project) uses the obsolete
alignattribute ontdandthelements; combine this utility with@mapbox/hast-util-table-cell-styleto usestyleinstead
Examples
hName
node.data.hName sets the tag name of an element.
The following mdast:
{
type: 'strong',
data: {hName: 'b'},
children: [{type: 'text', value: 'Alpha'}]
}
Yields, in hast:
{
type: 'element',
tagName: 'b',
properties: {},
children: [{type: 'text', value: 'Alpha'}]
}
hProperties
node.data.hProperties in sets the properties of an element.
The following mdast:
{
type: 'image',
src: 'circle.svg',
alt: 'Big red circle on a black background',
title: null,
data: {hProperties: {className: ['responsive']}}
}
Yields, in hast:
{
type: 'element',
tagName: 'img',
properties: {
src: 'circle.svg',
alt: 'Big red circle on a black background',
className: ['responsive']
},
children: []
}
hChildren
node.data.hChildren sets the children of an element.
The following mdast:
{
type: 'code',
lang: 'js',
data: {
hChildren: [
{
type: 'element',
tagName: 'span',
properties: {className: ['hljs-meta']},
children: [{type: 'text', value: '"use strict"'}]
},
{type: 'text', value: ';'}
]
},
value: '"use strict";'
}
Yields, in hast (note: the pre and language-js class are normal
mdast-util-to-hast functionality):
{
type: 'element',
tagName: 'pre',
properties: {},
children: [{
type: 'element',
tagName: 'code',
properties: {className: ['language-js']},
children: [
{
type: 'element',
tagName: 'span',
properties: {className: ['hljs-meta']},
children: [{type: 'text', value: '"use strict"'}]
},
{type: 'text', value: ';'}
]
}]
}
all(h, parent)
Helper function for writing custom handlers passed to options.handlers.
Pass it h and a parent node (mdast) and it will turn the node’s children into
an array of transformed nodes (hast).
one(h, node, parent)
Helper function for writing custom handlers passed to options.handlers.
Pass it h, a node, and its parent (mdast) and it will turn node into
hast content.
Security
Use of mdast-util-to-hast can open you up to a
cross-site scripting (XSS) attack.
Embedded hast properties (hName, hProperties, hChildren), custom handlers,
and the allowDangerousHtml option all provide openings.
The following example shows how a script is injected where a benign code block is expected with embedded hast properties:
var code = {type: 'code', value: 'alert(1)'}
code.data = {hName: 'script'}
Yields:
<script>alert(1)</script>
The following example shows how an image is changed to fail loading and therefore run code in a browser.
var image = {type: 'image', url: 'existing.png'}
image.data = {hProperties: {src: 'missing', onError: 'alert(2)'}}
Yields:
<img src="missing" onerror="alert(2)">
The following example shows the default handling of embedded HTML:
# Hello
<script>alert(3)</script>
Yields:
<h1>Hello</h1>
Passing allowDangerousHtml: true to mdast-util-to-hast is typically still
not enough to run unsafe code:
<h1>Hello</h1>
<script>alert(3)</script>
If allowDangerousHtml: true is also given to hast-util-to-html (or
rehype-stringify), the unsafe code runs:
<h1>Hello</h1>
<script>alert(3)</script>
Use hast-util-sanitize to make the hast tree safe.
Related
mdast-util-to-nlcst— transform mdast to nlcsthast-util-to-mdast— transform hast to mdasthast-util-to-xast— transform hast to xasthast-util-sanitize— sanitize hast nodesremark-rehype— rehype support for remarkrehype-remark— remark support for rehype
Contribute
See contributing.md in syntax-tree/.github for ways to get
started.
See support.md for ways to get help.
This project has a code of conduct. By interacting with this repository, organization, or community you agree to abide by its terms.
License
Current Tags
- 12.1.1 ... latest (4 years ago)
10 Versions
kmck
wooorm
- @types/mdast ^3.0.0
- @types/unist ^2.0.0
- mdast-util-definitions ^4.0.0
- mdurl ^1.0.0
- unist-builder ^2.0.0
- unist-util-generated ^1.0.0
- unist-util-position ^3.0.0
- unist-util-visit ^2.0.0
- browserify ^17.0.0
- dtslint ^4.0.0
- nyc ^15.0.0
- prettier ^2.0.0
- remark-cli ^9.0.0
- remark-preset-wooorm ^8.0.0
- tape ^5.0.0
- tinyify ^3.0.0
- xo ^0.34.0