👉 Note: this is a new crate that reuses an old name. The old crate (
0.3.0
and lower) has a bunch of problems. Make sure to use the new crate, currently in alpha at1.0.0-alpha.21
.
CommonMark compliant markdown parser in Rust with ASTs and extensions.
markdown-rs
is an open source markdown parser written in Rust.
It’s implemented as a state machine (#![no_std]
+ alloc
) that emits
concrete tokens, so that every byte is accounted for, with positional info.
The API then exposes this information as an AST, which is easier to work with,
or it compiles directly to HTML.
While most markdown parsers work towards compliancy with CommonMark (or GFM),
this project goes further by following how the reference parsers (cmark
,
cmark-gfm
) work, which is confirmed with thousands of extra tests.
Other than CommonMark and GFM, this project also supports common extensions to markdown such as MDX, math, and frontmatter.
This Rust crate has a sibling project in JavaScript: micromark
(and mdast-util-from-markdown
for the AST).
P.S. if you want to compile MDX, use mdxjs-rs
.
With Rust (rust edition 2018+, ±version 1.56+), install with cargo
:
cargo add markdown@1.0.0-alpha.21
👉 Note: this is a new crate that reuses an old name. The old crate (
0.3.0
and lower) has a bunch of problems. Make sure to use the new crate, currently in alpha at1.0.0-alpha.21
.
fn main() {
println!("{}", markdown::to_html("## Hello, *world*!"));
}
Yields:
<h2>Hello, <em>world</em>!</h2>
Extensions (in this case GFM):
fn main() -> Result<(), markdown::message::Message> {
println!(
"{}",
markdown::to_html_with_options(
"* [x] contact@example.com ~~strikethrough~~",
&markdown::Options::gfm()
)?
);
Ok(())
}
Yields:
<ul>
<li>
<input checked="" disabled="" type="checkbox" />
<a href="https://github.com/wooorm/markdown-rs/blob/main/mailto:contact@example.com">contact@example.com</a>
<del>strikethrough</del>
</li>
</ul>
Syntax tree (mdast):
fn main() -> Result<(), markdown::message::Message> {
println!(
"{:?}",
markdown::to_mdast("# Hey, *you*!", &markdown::ParseOptions::default())?
);
Ok(())
}
Yields:
Root { children: [Heading { children: [Text { value: "Hey, ", position: Some(1:3-1:8 (2-7)) }, Emphasis { children: [Text { value: "you", position: Some(1:9-1:12 (8-11)) }], position: Some(1:8-1:13 (7-12)) }, Text { value: "!", position: Some(1:13-1:14 (12-13)) }], position: Some(1:1-1:14 (0-13)), depth: 1 }], position: Some(1:1-1:14 (0-13)) }
markdown-rs
exposes
to_html
,
to_html_with_options
,
to_mdast
,
Options
,
and a few other structs and enums.
See the crate docs for more info.
markdown-rs
supports extensions to CommonMark
.
These extensions are maintained in this project.
They are not enabled by default but can be turned on with options.
It is not a goal of this project to support lots of different extensions. It’s instead a goal to support very common and mostly standardized extensions.
markdown-rs
is maintained as a single monolithic crate.
The process to parse markdown looks like this:
markdown-rs
+-------------------------------------------------+
| +-------+ +---------+--html- |
| -markdown->+ parse +-events->+ compile + |
| +-------+ +---------+-mdast- |
+-------------------------------------------------+
The files in src/
are as follows:
construct/*.rs
— CommonMark, GFM, and other extension constructs used in markdownutil/*.rs
— helpers often needed when parsing markdownevent.rs
— things with meaning happening somewherelib.rs
— public APImdast.rs
— syntax treeparser.rs
— turn a string of markdown into eventsresolve.rs
— steps to process eventsstate.rs
— steps of the state machinesubtokenize.rs
— handle content in other contentto_html.rs
— turns events into a string of HTMLto_mdast.rs
— turns events into a syntax treetokenizer.rs
— glue the states of the state machine togetherunist.rs
— point and position, used in mdastmarkdown-rs
is tested with the \~650 CommonMark tests and more than 1k extra
tests confirmed with CM reference parsers.
Then there’s even more tests for GFM and other extensions.
These tests reach all branches in the code, which means that this project has
100% code coverage.
Fuzz testing is used to check for things that might fall through coverage.
The following bash scripts are useful when working on this project:
cargo run --manifest-path generate/Cargo.toml
RUST_BACKTRACE=1 RUST_LOG=trace cargo run --example lib --features log
cargo fmt && cargo fix --all-features --all-targets --workspace
cargo fmt --check && cargo clippy --all-features --all-targets --workspace
RUST_BACKTRACE=1 cargo test --all-features --workspace
cargo doc --document-private-items --examples --workspace
cargo install cargo-fuzz
cargo install honggfuzz
cargo +nightly fuzz run markdown_libfuzz
cargo hfuzz run markdown_honggfuzz
markdown-rs
follows SemVer.
The typical security aspect discussed for markdown is cross-site scripting
(XSS) attacks.
Markdown itself is safe if it does not include embedded HTML or dangerous
protocols in links/images (such as javascript:
or data:
).
markdown-rs
makes any markdown safe by default, even if HTML is embedded or
dangerous protocols are used, as it encodes or drops them.
Turning on the allow_dangerous_html
or allow_dangerous_protocol
options for
user-provided markdown opens you up to XSS attacks.
An aspect related to XSS for security is syntax errors: markdown itself has no
syntax errors.
Some syntax extensions (specifically, only MDX) do include syntax errors.
For that reason, to_html_with_options
returns Result<String, Message>
, of
which the error is a struct indicating where the problem happened, what
occurred, and what was expected instead.
Make sure to handle your errors when using MDX.
Another security aspect is DDoS attacks.
For example, an attacker could throw a 100mb file at markdown-rs
, in which
case it’s going to take a long while to finish.
It is also possible to crash markdown-rs
with smaller payloads, notably when
thousands of links, images, emphasis, or strong are opened but not closed.
It is wise to cap the accepted size of input (500kb can hold a big book) and to
process content in a different thread so that it can be stopped when needed.
For more information on markdown sanitation, see
improper-markup-sanitization.md
by @chalker.
See contributing.md
for ways to help.
See support.md
for ways to get help.
See code-of-conduct.md
for how to communicate in and around this
project.
Support this effort and give back by sponsoring:
Special thanks go out to:
micromark
— same as markdown-rs
but in JavaScriptmdxjs-rs
— wraps markdown-rs
to compile MDX to JavaScriptMIT © Titus Wormer