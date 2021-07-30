mdast utility to treat HTML comments as ranges.
Useful in remark plugins.
This package is ESM only:
Node 12+ is needed to use it and it must be
imported instead of
required.
npm:
npm install mdast-zone
Say we have the following file,
example.md:
<!--foo start-->
Foo
<!--foo end-->
And our script,
example.js, looks as follows:
import {readSync} from 'to-vfile'
import {remark} from 'remark'
import {zone} from 'mdast-zone'
const file = readSync('example.md')
remark()
.use(plugin)
.process(file)
.then((file) => {
console.log(String(file))
})
function plugin() {
return transform
function transform(tree) {
zone(tree, 'foo', mutate)
}
function mutate(start, nodes, end) {
return [
start,
{type: 'paragraph', children: [{type: 'text', value: 'Bar'}]},
end
]
}
}
Now, running
node example yields:
<!--foo start-->
Bar
<!--foo end-->
This package exports the following identifiers:
zone.
There is no default export.
zone(tree, name, handler)
Search
tree for comment ranges (“zones”).
tree (
Node) — Tree to search for ranges
name (
string) — Name of ranges to search for
handler (
Function) — Function invoked for each found range
function handler(start, nodes, end)
Invoked with the two markers that determine a range: the first
start
and the last
end, and the content inside.
start (
Node) — Start of range (an HTML comment node)
nodes (
Array.<Node>) — Nodes between
start and
end
end (
Node) — End of range (an HTML comment node)
Array.<Node>? — List of nodes to replace
start,
nodes, and
end
with, optional.
Improper use of
handler can open you up to a cross-site scripting (XSS)
attack as the value it returns is injected into the syntax tree.
This can become a problem if the tree is later transformed to hast.
The following example shows how a script is injected that could run when loaded
in a browser.
function handler(start, nodes, end) {
return [start, {type: 'html', value: 'alert(1)'}, end]
}
Yields:
<!--foo start-->
<script>alert(1)</script>
<!--foo end-->
Either do not use user input or use
hast-util-santize.
mdast-util-heading-range
— use headings as ranges instead of comments
