Which Markdown parser is used, and what format/resolution are custom site icons saved at?

Haha, yep, it's me again with some more ridiculously nerdy questions. At least you guys know that someone out there is noticing some of the gourmet ingredients you bake together into your haute cuisine of code, right? 8-)

So, first, a truly atrociously bad "bug report" regarding the Markdown parser employed in the Notes section, because it was actually a couple days ago that I attempted to use some syntactic element of Markdown and got no love, and was too busy at the time to report it, and now I don't recall all the details. Knowing me, after 18 years of volunteer editing at Wikimedia Foundation sites it was either a table, or an image. Oh, no, in fact I think it was a hyperlink (anchor link, external, might've even been a mailto: or ircs:, I can't be sure, but that's how I roll), and I know you guys previously put the kibosh on those based on security concerns, but please hear me out anyway.

I do agree that as a blanket policy, letting the general userbase run amok with Markdown is asking for headaches, that's how we get poop like GitHub-Flavored Markdown, we just can't have nice things when half the population has, by definition, a below-average IQ. However, I'm sure we can tacitly agree that restricting the Notes part of 1P to essentially plain text with Markdown just for syntactic sugar is unworthy of such a robust and powerful platform. We can be creative and think through the pitfalls, I'm certain of it. For instance, there are instances that I would really benefit from embedding images served on the public internet into the notes of my vault items, but of course being aware of how insidious an attack surface that could quickly become, I'd only want to do it from domains that I own, manage personally, and ideally have physical possession of the server and data hardware for. I think providing users with a config key that accepts an array of such domains that they wish whitelisted is a reasonable ask. You can even turn off wildcards in the array values and then if anyone unexpectedly discovers a lemonparty in their vault courtesy of Imgur/GIPHY/a random hotlink, the presence of the guilty domain in the array is proof of user erred at whitelisting, not bad software design.

My point being that in today's cloud-first world, it's reasonable to expect that more than a few of us have digital resources siloed remotely with security we're satisfied with and in light of the fact that we are always responsible for the contents of our vaults and no one else, should ultimately be the ones evaluating those risks. Just look at Obsidian as proof of how pervasive a concept brain dumps stored as Markdown have become/are becoming. You may want to counter with the fact that you already have file attachments and we can create as many data structures in vault items as we want, but when I need to review the inventory of various safety deposit boxes or registration numbers and engine sizes for a garage full of ATVs on the fly from my mobile, an attached .xls/.ods file or PDF scan of such is about the last thing I want; rather, I want that info neatly arranged in a "party like it's 1999"-chic HTML table, ideally with sortable headers and one column just for thumbnails of images served from my roll-your-own Nextcloud, all in the Notes field of a vault item. And the first 1P team member that tells me they're not privately nodding their head slowly right now and muttering "Mmmm, yeah, that would be super sweet..." is a liar. :p (Don't make me pontificate on how it's the perfect way to flip the criticism of the Electron frontend on its ear, by letting users make full advantage of the fact that it's a web-based UI framework to use HTML layout elements to their full advantage as Notes, because I will... ;))

Ugh, that was one long-damned digression, and for that I apologize. Since I need to hit the sack so let me get back to my original two inquiries as succinctly as the pleonastic male offspring of an unmarried woman can...

  1. What parser is being used to render the Markdown in the Notes fields? Off the top of my head, I'd guess pulldown-cmark, but with 37 "stable" Markdown parser libraries in the wild that I know of, chances are I'd be lucky to just be way out in left field with that one and not some other ZIP code. I ask because thanks to Markdown being the hippie-dippy, free-love, "we don't need no stinking definitive specifications" language it is, us users are certain to run into quirks or absent elements we're used to using elsewhere but go nowhere in 1P, and I'd rather be able to understand those limits outright than waste precious time on field-testing some workaround we used once in a similar situation. Plus I've once or twice wanted to escape certain things from the parser entirely, a la comments in source code, and since Markdown doesn't even attempt to provide a syntax for comments other than HTML-style (and those don't work either), knowing which bronco I'm riding could clue me into how to ride it.
  2. I'm one of "those users" with bad enough OCD to whip up custom icons for sites in my vaults which lack them or have really bad ones, but without knowing what, if any, transforms are happening to them on your end, I could be over- or underdoing the level of detail. I might even be shooting myself in the foot if you're actually not downscaling some of my 2000x2000px "masterpieces" and instead just serving them back to my dumb ass as-is, and that's why some seem hesitant to load. Any details you can offer as to file format, resolution, compression, interlacing, etc. would be most humbly accepted, without argument. Oh, and I haven't gotten around to testing if this is even possible currently, but if "a friend" wanted to whip up some animated .webp files of can-can dancers to kick in unison as I scroll through the vault, would that dog hunt, either now or at some later point on the roadmap?

Alright, my most heartfelt gratitude to anyone who made it this far. I swear I don't mean to write so much to communicate so little all of the time, it just happens. If it's any consolation, I still think you all hung the moon with 1Password, even the Early Access builds have been a privilege to use and watch evolve. Thanks for hanging in there, and good night.

Peter "RogueScholar" Mello

P.S. Oh yeah...Alphabet Strip! We need one of those (a jump menu) in the 1P8 desktop clients, for moving to a specific letter in the list, a la the Win10/Win11 Start Menu or MusicBee library interface. I know there's always search, but sometimes the mouse is already in my hand, and it's a super-low footprint UI element to tuck in along some edge somewhere. Think about it, okay? Later, alligator. poofs

1Password Version: 8.2.2-39.BETA
Extension Version: 2.1.0
OS Version: Windows 11 Build 22454.1000/Kubuntu 21.10 Impish


  • 1Password 8 does (currently) not even support rich icons...

  • ag_andrewag_andrew

    Team Member

    Hi @RogueScholar,

    We do indeed use pulldown-cmark, good guess!

    However we don't use it the way that is most common (using the library to generate HTML). In 1Password 8 we use pulldown-cmark to generate Markdown Events and convert those into a structured representation that is rendered by the UI. This helps us mitigate the issues with trusting the raw HTML generated by a given markdown parser and instead gives us the chance to build a safer rendering pipeline for your secure notes.

    That may be why you're not able to use every markdown trick in the book, but if there's something you think should work but isn't, please let us know so we can take a look!

    As for custom icons for items, they are not yet supported in 1Password 8 but we are tracking that issue and you're certainly not the only one who misses them.

    Thanks again for your feedback.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file