On 10/12/12 7:53 AM, "Peter Saint-Andre" <stpe...@stpeter.im> wrote:
>>> (I also wonder why we don't support <q/> for inline quotation...) >> >> Yes, it seems that the set of allowed tags should be reviewed too. > >Maybe. :) I'm sure we had good reasons for the limited subset we defined >in 2003-2004, and I am not sure we want to reconsider every element and >attribute when the XEP is so mature. IIRC, the goal was to have as small a subset as possible where we had thought about how each of the pieces could be used as an attack vector. What suffered in the process was the ability to take random HTML from a web page or other application and paste it in without losing markup. A good example of this is pasting from Excel, which generates <table>'s. I know of at least one set of clients that allows <table>, <tr>, etc. to be both sent and received, in contravention of the XEP, due to customer demands. The thing I know we missed was the sender styling a message that contains a newline so that the receiving client renders a line that looked like the receiver sent a message they didn't send. We should probably add some text that recommends indenting subsequent lines or otherwise distinguishing sent text from received text. -- Joe Hildebrand