Embed JavaScript in GitHub README.md

2019-04-03 03:17发布

问题:

I want to embed a tweet in a GitHub README file. Markdown should support this, however when I add the code that is copied from the tweet the JavaScript doesn't get rendered.

Example:

<blockquote>...</blockquote>
<script async src="//platform.twitter.com/widgets.js" charset="utf-8"></script>

Any ideas?

回答1:

Allowing javascript from third parties directly on a website has huge XSS attacks implications. Someone could use javascript code for example to grab the cookies associated to any visitor's github accounts and forward them to a malicious entity.

There's also the nuisance potential, as having access to javascript means having access to the CPU of the visitor and being able to do things like pop-ups or blinking text.

As such it's natural that javascript isn't supported in READMEs. Markdown may have a way of doing it, but it'll never be allowed on a website like GitHub.

However, you can do it on your project's github page, if you have one, since it doesn't belong to the main github website and the domain is not the same.



回答2:

As a follow up to coyotte508's answer (sorry, not enough points to reply directly):

If Github were to enable such a feature they could use iFrames as an effective measure against XSS in the same way ReadTheDocs does.

EDIT: Also you might want to check out readthedocs.org as an alternative to a Github README.md. They support embedding javascript in rst files.