Use Markdown within Zettelstore

00001008010000 · Info · (manual) · #manual #markdown #zettelstore (all)

If you are customized to use Markdown as your markup language, you can configure Zettelstore to support your decision. Zettelstore supports the CommonMark dialect of Markdown.

Use Markdown as the default markup language of Zettelstore

Update the New Zettel template (and other relevant template zettel) by setting the syntax value to md or markdown. Whether to use md or markdown is not just a matter to taste. It also depends on the value of zettel-file-syntax and, to some degree, on the value of yaml-header.

If you set yaml-header to true, then new content is always stored in a file with the extension .zettel.

Otherwise zettel-file-syntax lists all syntax values, where its content should be stored in a file with the extension .zettel.

If neither yaml-header nor zettel-file-syntax is set, new content is stored in a file where its file name extension is the same as the syntax value of that zettel. In this case it makes a difference, whether you specify md or markdown. If you specify the syntax md, your content will be stored in a file with the .md extension. Similar for the syntax markdown.

If you want to process the files that store the zettel content, e.g. with some other Markdown tools, this may be important. Not every Markdown tool allows both file extensions.

BTW, metadata is stored in a file without a file extension, if neither yaml-header nor zettel-file-syntax is set.

Security aspects

You should be aware that Markdown is a super-set of HTML. The body of any HTML document is also a valid Markdown document. If you write your own zettel, this is probably not a problem.

However, if you receive zettel from others, you should be careful. An attacker might include malicious HTML code in your zettel. For example, HTML allows to embed JavaScript, a full-sized programming language that drives many web sites. When a zettel is displayed, JavaScript code might be executed, sometimes with harmful results.

By default, Zettelstore prohibits any HTML content. If you want to relax this rule, you should take a look at the startup configuration key insecure-html.

Even if you have allowed HTML content, Zettelstore mitigates some of the security problems by ignoring suspicious text when it encodes a zettel as HTML. Any HTML text that might contain the <script> tag or the <iframe> tag is ignored. This may lead to unexpected results if you depend on these. Other encodings may still contain the full HTML text.

Any external client of Zettelstore, which does not use Zettelstore's HTML encoding, must be programmed to take care of malicious code.