> a) Is it likely that the conversion from a Markdown-like syntax will > intentionally generate malicious HTML? >
Depends on the syntax. If you use markdown, I think it is unlikely to happen, because it's not tempting to implement the conversion yourself (lots of libraries, too complex to do with regexp), and libraries do the right thing (given that you turn off arbitrary HTML support). If you increase the temptation to 'roll your own' conversion (e.g. use a format that is very simple, like slack's notification format, or use something without too many libraries that you are likely to implement yourself), you'll probably see lots of regexp-like substitutions followed by direct injection. In summary: i think with Markdown, we're fine. Remko
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org _______________________________________________