On Montag, 6. November 2017 15:25:00 CET Sam Whited wrote: > Although, in retrospect the body is escaped so this isn't as > likely as XHTML-IM to be a problem unless you unescape and them dump it > into the DOM (which is a problem regardless of what formatting spec you > use).
Could you clarify? I can’t see anything in the XEP which mandates escaping (which wouldn’t help either with malicious senders). When I put "<b>foo</b>" into a message, it will be sent as: <body><b>foo</b></body> Which every sane XML library will hand to the receiving application as a string containing "<b>foo</b>". At which point, if you pour that into a default markdown thing, you get HTML in the output. kind regards, Jonas
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
