On Mittwoch, 18. Oktober 2017 13:38:47 CEST Sam Whited wrote: > On Wed, Oct 18, 2017, at 12:40, Goffi wrote: > > If we base the debate on devs not really taking care of security (which > > was > > the initial issue with XHTML-IM) or path of less resistance, they will > > most > > probably just send the raw Markdown to the list, were HTML can be > > executed. > > It would also require manually unescaping the body first, otherwise > you'd just get a message that said "<script>".
Wouldn’t any sane XML library handle that un-escaping? Or are we talking about doubly-escaped HTML? > So it now requires manually screwing something up to lead to a security > issue instead of the default being an issue. > > —Sam > _______________________________________________ > Standards mailing list > Info: https://mail.jabber.org/mailman/listinfo/standards > Unsubscribe: [email protected] > _______________________________________________
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
