Embed JavaScript in GitHub README.md

Asked 24/1, 2014 at 19:23 Answered 28/4, 2024 at 8:2

I want to embed a tweet in a GitHub README file. Markdown should support this, however when I add the code that is copied from the tweet the JavaScript doesn't get rendered.

Example:

<blockquote>...</blockquote> <script async src="//platform.twitter.com/widgets.js" charset="utf-8"></script>

Any ideas?

Throwaway answered 24/1, 2014 at 19:23 Comment(2)

I'm not sure that you can embed JavaScript in Markdown. – Rajasthani 24/1, 2014 at 19:26

You do realize that if I could embed JavaScript into this comment I can go around looking for new questions, help you downvote a couple questions, post a new question for you, change your name or profile picture, and get you banned, right? You think allowing any script on your website is a good idea? You'll more likely embed tweets by asking Github to enable markdown embeds or something. – Marsiella 21/2, 2022 at 22:55

Allowing javascript from third parties directly on a website has huge XSS attacks implications. Someone could use javascript code for example to grab the cookies associated to any visitor's github accounts and forward them to a malicious entity.

There's also the nuisance potential, as having access to javascript means having access to the CPU of the visitor and being able to do things like pop-ups or blinking text.

As such it's natural that javascript isn't supported in READMEs. Markdown may have a way of doing it, but it'll never be allowed on a website like GitHub.

However, you can do it on your project's github page, if you have one, since it doesn't belong to the main github website and the domain is not the same.

Vibrissa answered 24/1, 2014 at 19:24 Comment(3)

well if you own the readme then why would you be protecting yourself from making blinking text? With that line of logic we should disable javascript on websites because the owner of the website might "able to do things like pop-ups or blinking text" – Lamere 6/9, 2019 at 22:56

JavaScript could also alter GitHub's login form's action such that logging in sends the user's credentials to your own malicious server. However this could be mitigated by forcing js to run inside an iframe as D1plo1d suggested. – Poteat 20/11, 2019 at 14:7

they recently allow you to customize your profile home page, so I was trying to load a JavaScript game into it; source – Siphonostele 21/8, 2020 at 2:56

As a follow up to coyotte508's answer (sorry, not enough points to reply directly):

If Github were to enable such a feature they could use iFrames as an effective measure against XSS in the same way ReadTheDocs does.

EDIT: Also you might want to check out readthedocs.org as an alternative to a Github README.md. They support embedding javascript in rst files.

Pauly answered 16/8, 2015 at 18:22 Comment(0)

I came here looking for this:

```js
function myFunction () {
   return true;
}
```

Viens answered 28/4, 2024 at 8:2 Comment(0)

Recommended topics

Hot tags