diff options
| author | Craig Jennings <c@cjennings.net> | 2026-06-30 17:25:50 -0400 |
|---|---|---|
| committer | Craig Jennings <c@cjennings.net> | 2026-06-30 17:25:50 -0400 |
| commit | 6660b0dc2a6e32aa4c4aec910a6a08bf8bb1e807 (patch) | |
| tree | 0e3f47b6194e426a0ab24f38579f1649f0ca79bf /modules | |
| parent | 0338c7b2504616e1b89ac21a4e1b5e460a42fec6 (diff) | |
| download | dotemacs-6660b0dc2a6e32aa4c4aec910a6a08bf8bb1e807.tar.gz dotemacs-6660b0dc2a6e32aa4c4aec910a6a08bf8bb1e807.zip | |
fix(markdown): vendor strapdown.js instead of a plain-HTTP CDN
The live markdown preview pulled strapdown.js from http://ndossougbe.github.io over plain HTTP. That broke the preview with no network, loaded third-party JS over an unencrypted connection (mixed content, MITM), and trusted an unmaintained github.io page against the localhost preview.
I vendored the self-contained bundle (jQuery, marked, bootstrap themes) into assets/strapdown.js and embed it inline. The whole preview now serves from localhost and works offline. cj/markdown-html reads the file once and caches it.
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/markdown-config.el | 28 |
1 files changed, 26 insertions, 2 deletions
diff --git a/modules/markdown-config.el b/modules/markdown-config.el index 4b6c9947d..cb37556f7 100644 --- a/modules/markdown-config.el +++ b/modules/markdown-config.el @@ -70,10 +70,34 @@ lives in a separate command." ;; rendered. (browse-url "http://localhost:8080/imp")) +;; strapdown.js renders the markdown client-side. It is vendored under +;; assets/ and embedded inline rather than loaded from +;; http://ndossougbe.github.io/strapdown/dist/strapdown.js: the CDN was plain +;; HTTP (mixed content), an unmaintained third-party github.io page (a +;; supply-chain and MITM surface), and made the preview fail with no network. +;; The bundle (jQuery + marked + bootstrap themes) is self-contained, so inlining +;; it serves the whole preview from localhost. Refresh by re-downloading the +;; dist build into assets/strapdown.js. +(defconst cj/markdown--strapdown-file + (expand-file-name "assets/strapdown.js" user-emacs-directory) + "Path to the vendored strapdown.js bundle served with the markdown preview.") + +(defvar cj/markdown--strapdown-cache nil + "Cached contents of `cj/markdown--strapdown-file', read once on first preview.") + +(defun cj/markdown--strapdown-js () + "Return the vendored strapdown.js source, reading and caching it once." + (or cj/markdown--strapdown-cache + (setq cj/markdown--strapdown-cache + (with-temp-buffer + (insert-file-contents-literally cj/markdown--strapdown-file) + (buffer-string))))) + (defun cj/markdown-html (buffer) (princ (with-current-buffer buffer - (format "<!DOCTYPE html><html><title>Impatient Markdown</title><xmp theme=\"united\" style=\"display:none;\"> %s </xmp><script src=\"http://ndossougbe.github.io/strapdown/dist/strapdown.js\"></script></html>" - (buffer-substring-no-properties (point-min) (point-max)))) + (format "<!DOCTYPE html><html><title>Impatient Markdown</title><xmp theme=\"united\" style=\"display:none;\"> %s </xmp><script>%s</script></html>" + (buffer-substring-no-properties (point-min) (point-max)) + (cj/markdown--strapdown-js))) (current-buffer))) ;; Bind the preview key after the defun so use-package's `:bind' autoload |
