[Standards] LAST CALL: XEP-0393 (Message Styling)

Sam Whited sam at samwhited.com
Mon May 18 03:14:08 UTC 2020


Since this was brought up twice I wanted to respond to it:

This XEP is not Markdown and its syntax is not compatible with Markdown.
I have never seen an implementation that used a Markdown library, and if
they did it would not be compatible so I don't see this as an issue or a
likely problem (since if you tried to use a Markdown parser you'd
presumably realize that it can't work fairly quickly and have to fix
your implementation).

Naturally, I'm open to links to places that have introduced security
issues this way or have broken implementations that use a Markdown
parser, we should fix those.

—Sam

On Sun, May 17, 2020, at 13:58, Maxime Buquet wrote:
> It seems developers interpret this XEP as a "markdown" XEP and use
> markdown libraries to implement it (which also include HTML parsers),
> even if it explicitely introduces sigils that are not matching those
> of markdown.

On Sun, May 17, 2020, at 15:01, Jonas Schäfer wrote:
> Yes. I fully expect people to hook this up to a Markdown processor
> which will then accept HTML, leading to fun scripting attacks. Which
> is the same class of issues originally introduced by the old XHTML-IM.


More information about the Standards mailing list