-
leke
Which XEP specification allows using Markdown syntax in the message body? I can't seem to find it, but I remember there being one.
-
Zash
https://xmpp.org/extensions/xep-0481.html maybe, but I'm not aware of any implementations
-
Zash
The currently common way to format messages is https://xmpp.org/extensions/xep-0393.html which *IS NOT MARKDOWN*
-
leke
thanks
-
Anno
The syntax of our current way is similar to Markdown. Is it okay if I provide an option "Allow message text to be rendered in Markdown style" in my client?
-
Zash
<script>alert("no")</script>
-
pep.
leke, 0071 allows markdown to be used :)
-
Zash
Markdown, being a HTML superset, often passes unsafe HTML right trough, leading to security vulnerabilities.
-
Kris
That depends on the markdown renderer
-
Zash
Best assume it does until proven otherwise
-
Kris
Still better than html messages...
-
leke
The basic Markdown syntax is already widely used, and I want to provide a copy of the Markdown syntax to help messages display better on these devices without having to parse XEP-0393.
-
Kris
leke: you are hitting a bee's nest
-
Kris
This is a very controversial topic in xmpp developer circles
-
Zash
leke, even talking about it may lead inexperienced developers to using an unsafe markdown library for 393 ... again.
-
leke
I honestly didn't realize that. Can you explain what you mean?
-
Zash
I mean someone already went and used a markdown library that by default let <script> right trough because they thought 393 was markdown.
-
Kris
Zash is pulling your leg. Xep-0393 was explicitly developed because people did that with html renderers.
-
Kris
It even says so right in the preamble
-
pep.
The best way to use markdown is still to do XHTML-IM :)
โ 1 - pep. putting oil on the fire
-
leke
Oh, that's definitely a risky practice and not recommended. Most Markdown parsing libraries don't enable that by default.
-
Kris
Exactly
-
Zash
I'd suggest you parse the markdown locally and send it as https://xmpp.org/extensions/xep-0394.html on the wire
-
leke
It's not recommended to write HTML in Markdown. It's better to use the appropriate markup symbols.
-
mod
leke, You cannot control how the other party's client will parse MD, that's the problem
-
Anno
If it were up to me, I would simply provide an option in the client I develop to enable or disable rendering 'if the message received is in markdown format.' I do not require other clients to render it the same way, nor do I require my users to send or receive text necessarily in markdown format. However, I will allow users to indicate to others that they are sending markdown text, using the content node of XEP-0481 to reveal this.
-
Anno
Yes, babe✎ -
Anno
๐๐๐ ✏
-
mod
It would be best to conduct a security audit for your software.
-
MSavoritias (fae,ve)
and please make it an option yeah. the amount of bugs in markdown because its "styling" but not really :(
-
Anno
๐ 2Yes, optional๐✎ -
Anno
Yes, optionally๐ ✏