Lightweight, robust, elegant syntax highlighting.
JavaScript HTML CSS C Lua C++
Latest commit 17e33bc Nov 20, 2016 @Rob--W Rob--W committed with Golmote Reduce risk of XSS (#1051)
* Skip non-own properties of env.attributes

Use `Object.keys` instead of a for-in loop to find optional attributes.
The former only grabs keys that are own properties, the latter also
includes inherit properties from `Object.prototype`.
This reduces the risk of XSS if an attacker somehow manages to
manipulate the prototype chain of the Object prototype.

* Fix root cause of XSS in autolinker plugin #1054

* command-line plugin: Safely encode attributes

If an attacker has control over the values of the attributes
"data-prompt", "data-user", or "data-host", then XSS was possible.
This fixes the issue, by encoding quotes as the `"` entity.

* show-language plugin: innerHTML -> textContent

There is no need for `innerHTML` here. At best nothing happens,
at worst XSS is possible (though the odds are negligible since
the attacker would have to control the detected language).

* toolbar plugin: innerHTML -> textContent
Failed to load latest commit information.
components Reduce risk of XSS (#1051) Nov 20, 2016
examples Add support for Reason. Fix #1046 Nov 19, 2016
img Optimize images (#1007) Jul 29, 2016
plugins Reduce risk of XSS (#1051) Nov 20, 2016
templates Changed the text in the header. Way overdue, as Prism’s popularity ha… Feb 13, 2016
tests Add support for Reason. Fix #1046 Nov 19, 2016
themes Remove unneeded prefixed CSS (#989) Jul 19, 2016
vendor Add a way to download all grammars as a Zip directly from the Autoloa… Jun 18, 2016
.editorconfig Added basic .editorconfig Sep 27, 2015
.gitattributes Add .gitattributes to prevent line ending changes in test files Aug 18, 2015
.gitignore Add yarn.lock (#1035) Oct 23, 2016
.npmignore Added .npmignore Apr 21, 2014
.travis.yml Added travis.yml to run tests in travis Jul 26, 2015 Update CHANGELOG Sep 23, 2016
CNAME Added CNAME file Jul 30, 2012
LICENSE Fixing to initial copyright year Jan 18, 2016 Update Aug 18, 2015
bower.json Ignore tests directory in bower.json Apr 6, 2016
code.js Fix broken heading links. Dec 30, 2015
components.js Add support for Reason. Fix #1046 Nov 19, 2016
download.html Merge pull request #561 from Golmote/prism-check-all Sep 3, 2015
download.js Add after-property to allow ordering of plugins Feb 26, 2016
examples.html Added some language aliases. Sep 3, 2015
examples.js Fixed issues pointed out in previous pull request Apr 8, 2016
extending.html Document the newly added greedy-flag Apr 30, 2016
faq.html link to index for basic usage - fixes #945 May 1, 2016
favicon.png Optimize images (#1007) Jul 29, 2016
gulpfile.js Add property 'aliasTitles' to components.js Feb 17, 2016
index.html HTTPS links to and + Google Analytics to HTTPS Apr 28, 2016
logo.svg Restore `viewBox` to Prism logo (#1002) Jul 19, 2016
package.json Plugins: Toolbar & Copy to Clipboard (#891) Nov 9, 2016
prefixfree.min.js Styling and docs changes Jul 31, 2012
prism.js Reduce risk of XSS (#1051) Nov 20, 2016
style.css Use screenshot instead of text logo for U.S. Web Design Standards on … Oct 14, 2015
test-suite.html Added TestCase.runTestsWithHooks + add missing tests. Updated documen… Jul 11, 2016
test.html Improve test drive page usability. Fix #591 Jun 12, 2015
utopia.js Commit updated line changes Aug 18, 2015


Prism is a lightweight, robust, elegant syntax highlighting library. It's a spin-off project from Dabblet.

You can learn more on

Why another syntax highlighter?:

Contribute to Prism!

Prism depends on community contributions to expand and cover a wider array of use cases. If you like it, considering giving back by sending a pull request. Here are a few tips:

  • Read the documentation. Prism was designed to be extensible.
  • Do not edit prism.js, it’s just the version of Prism used by the Prism website and is built automatically. Limit your changes to the unminified files in the components/ folder. The minified files are also generated automatically.
  • The build system uses gulp to minify the files and build prism.js. Having gulp installed, you just need to run the command gulp.
  • Please follow the code conventions used in the files already. For example, I use tabs for indentation and spaces for alignment. Opening braces are on the same line, closing braces on their own line regardless of construct. There is a space before the opening brace. etc etc.
  • Please try to err towards more smaller PRs rather than few huge PRs. If a PR includes changes I want to merge and changes I don't, handling it becomes difficult.
  • My time is very limited these days, so it might take a long time to review longer PRs (short ones are usually merged very quickly), especially those modifying the Prism Core. This doesn't mean your PR is rejected.
  • If you contribute a new language definition, you will be responsible for handling bug reports about that language definition.
  • If you add a new language definition, theme or plugin, you need to add it to components.js as well, so that it becomes available to the download build page.

Thank you so much for contributing!!