{@render children?.()}
{/snippet} {#snippet heading({ depth, children })} {#if depth === 1}{@render children?.()}
{:else}{@render children?.()}
{/if} {/snippet} {#snippet link({ href, title, children })} {@render children?.()} {/snippet} {#snippet code({ lang, text })}{text}{props.text}
- ` with bidirectional links (ref to definition and back). You can also use snippet overrides for custom rendering.
### How It Works
Marked extensions define custom token types with a `name` property (e.g., `inlineKatex`, `blockKatex`, `alert`). When you pass extensions via the `extensions` prop, SvelteMarkdown automatically extracts these token type names and makes them available as both **component renderer keys** and **snippet override names**.
To find the token type names for any extension, check its source or documentation for the `name` field in its `extensions` array:
```js
// Example: markedKatex (built-in) registers tokens named "inlineKatex" and "blockKatex"
// โ use renderers={{ inlineKatex: ..., blockKatex: ... }}
// โ or {#snippet inlineKatex(props)} and {#snippet blockKatex(props)}
// Example: a custom alert extension registers a token named "alert"
// โ use renderers={{ alert: AlertComponent }}
// โ or {#snippet alert(props)}
```
Each snippet/component receives the token's properties as props (e.g., `text`, `displayMode` for KaTeX; `text`, `level` for alerts).
See the [full documentation](https://markdown.svelte.page/docs/advanced/marked-extensions) and [interactive demo](https://markdown.svelte.page/examples/marked-extensions).
### TypeScript
All snippet prop types are exported for use in external components:
```typescript
import type {
ParagraphSnippetProps,
HeadingSnippetProps,
LinkSnippetProps,
CodeSnippetProps,
HtmlSnippetProps,
SnippetOverrides,
HtmlSnippetOverrides
} from '@humanspeak/svelte-markdown'
```
## Advanced Features
### Table Support with Mixed Content
The package excels at handling complex nested structures and mixed content:
```markdown
| Type | Content |
| ---------- | --------------------------------------- |
| Nested |
- Item 1
- Item 2
- `)
- `heading` - Heading (`
`-`
`) - `codespan` - Inline code (`
`) - `code` - Block of code (``) - `html` - HTML node - `rawtext` - All other text that is going to be included in an object above ### Optional List Renderers For fine-grained styling: - `orderedlistitem` - Items in ordered lists - `unorderedlistitem` - Items in unordered lists ### HTML Renderers The `html` renderer is special and can be configured separately to handle HTML elements: | Element | Description | | -------- | -------------------- | | `div` | Division element | | `span` | Inline container | | `table` | HTML table structure | | `thead` | Table header group | | `tbody` | Table body group | | `tr` | Table row | | `td` | Table data cell | | `th` | Table header cell | | `ul` | Unordered list | | `ol` | Ordered list | | `li` | List item | | `code` | Code block | | `em` | Emphasized text | | `strong` | Strong text | | `a` | Anchor/link | | `img` | Image | You can customize HTML rendering by providing your own components: ```typescript import type { HtmlRenderers } from '@humanspeak/svelte-markdown' const customHtmlRenderers: Partial= { div: YourCustomDivComponent, span: YourCustomSpanComponent } ``` ## Events The component emits a `parsed` event when tokens are calculated: ```svelte ``` ## Props | Prop | Type | Description | | ------------------ | ----------------------- | ------------------------------------------------------------------------------------------------------ | | source | `string \| Token[]` | Markdown content or pre-parsed tokens | | streaming | `boolean` | Enable incremental rendering for LLM streaming | | renderers | `Partial ` | Custom component overrides | | options | `SvelteMarkdownOptions` | Marked parser configuration | | isInline | `boolean` | Toggle inline parsing mode | | extensions | `MarkedExtension[]` | Third-party marked extensions (e.g., KaTeX math) | | sanitizeUrl | `SanitizeUrlFn` | URL sanitizer applied before render. Defaults to `defaultSanitizeUrl` (http/https/mailto/tel/relative) | | sanitizeAttributes | `SanitizeAttributesFn` | Attribute sanitizer applied before render. Defaults to `defaultSanitizeAttributes` | ## Security This package takes a defense-in-depth approach to security. The defaults below are applied automatically in the Parser before tokens reach any renderer or snippet, so custom renderers cannot bypass them. **On by default:** - **Secure HTML parsing** โ All HTML is parsed through HTMLParser2's streaming parser rather than `innerHTML`, preventing script injection - **URL protocol allowlist** (`defaultSanitizeUrl`) โ Markdown link/image URLs and the HTML attributes `href`, `src`, `action`, `formaction`, `cite`, `data`, and `poster` are restricted to `http:`, `https:`, `mailto:`, `tel:`, and relative URLs. `javascript:`, `vbscript:`, `data:`, and `blob:` URIs are blocked (including mixed-case and leading-whitespace variants). - **Event handler stripping** (`defaultSanitizeAttributes`) โ All `on*` attributes (e.g. `onclick`, `onerror`, `onload`) are removed. The `srcdoc` attribute is also stripped to prevent iframe HTML injection. - **No ``) rather than executing or applying them. **Configurable controls:** - **Custom sanitizers** โ Pass `sanitizeUrl` / `sanitizeAttributes` props to tighten or loosen the defaults. Use the exported `unsanitizedUrl` / `unsanitizedAttributes` passthroughs to disable sanitization entirely (only for trusted input). - **Granular HTML control** โ Use `allowHtmlOnly()` / `excludeHtmlOnly()` to restrict which HTML tags are rendered (see [Helper utilities](#helper-utilities-for-allowdeny-strategies)). For example, `excludeHtmlOnly(['iframe', 'form', 'embed'])` if you don't want those. - **Full HTML lockdown** โ Call `buildUnsupportedHTML()` to block all raw HTML rendering. - **Markdown renderer control** โ Use `allowRenderersOnly()` / `excludeRenderersOnly()` to limit which markdown token types are rendered. **Known gaps (not handled by defaults):** - **Inline `style="..."` attributes are not sanitized.** They pass through unchanged (only `on*` and `srcdoc` are stripped from attribute maps). Modern browsers don't execute JavaScript via CSS, but visual hijacking (e.g. `display:none`) and exfiltration via background-image URLs are possible. - **`iframe`, `form`, `embed` are rendered** by default. With `on*`/`srcdoc` stripped and `src`/`action` protocol-restricted, the worst exploits are blocked, but an iframe to an arbitrary `http(s)` URL is still possible. Use `excludeHtmlOnly(['iframe', 'form', 'embed'])` to remove them. - **`srcset` and other less common URL attributes are not sanitized.** Only the attributes listed above pass through `sanitizeUrl`. Provide a custom `sanitizeAttributes` if you need broader coverage. - **No built-in DOM sanitizer** โ By design, the package does not bundle DOMPurify or similar. For untrusted input, layer a full sanitizer on top of the defaults above. ## License MIT ยฉ [Humanspeak, Inc.](LICENSE) ## Credits Made with โค๏ธ by [Humanspeak](https://humanspeak.com)
`inline code` |
```
### HTML in Markdown
Seamlessly mix HTML and Markdown:
```markdown
Click to expand
- This is a markdown list - Inside an HTML details element - Supporting **bold** and _italic_ text`)
- `em` - Emphasis (``)
- `strong` - Strong/bold (``)
- `hr` - Horizontal rule (`
`)
- `blockquote` - Block quote (``)
- `del` - Deleted/strike-through (`
`)
- `link` - Link (``)
- `image` - Image (``)
- `table` - Table (`
`)
- `tablehead` - Table head (``)
- `tablebody` - Table body (``)
- `tablerow` - Table row (`
`)
- `tablecell` - Table cell (` `/` `)
- `list` - List (` `/`
`)
- `listitem` - List item (`