On Fri, Oct 13, 2017, at 03:55, Kevin Smith wrote: > But I think that it’s fundamentally weird to claim that when > implementing markdownish, non-diligent devs won’t just inject HTML, but > while implementing XHTML-IM they will.
I agree. However if you send *<script>alert(123)<script;>* and someone converts the *'s to <strong> and injects that directly into the DOM, you end up with a nicely bolded: "<script>alert(123)</script>" and no XSS. That's if we decided to put it in <body> of course, where the server would yell at you if you didn't escape the script somehow. We could also put it outside of body, which some people seem to want, but I haven't thought about the implications of that much yet, I'm more focused on the XSF not recommending something that we know causes problems and has a long history of security issues. —Sam _______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
