I believe you can only use markdown. Allowing user input in HTML is incredibly dangerous unless you're very, very careful about sanitizing it. I had to deal with this at a previous job and it's a nightmare for security.

[–] [email protected] 1 points 1 year ago (1 children)

I’m a newbie, but aren‘t there quite a few HTML Tags you can use in Markdown? Why aren‘t they considered dangerous? Or is it just a few tags that would be dangerous, that aren‘t supported in markdown?

[–] [email protected] 2 points 1 year ago

Markdown is interpreted and translated into HTML. There are tons of vulnerable tags. Even a simple img tag can be used for cross site scripting.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

Lemmy already has to deal with untrusted HTML since that's the "canonical" form of all ActivityPub Page/Note content.

I believe it converts to markdown when it receives it (if no markdown source is transmitted alongside, e.g. for posts from vanilla Mastodon) and stores/serves markdown from it's own API (to the webui and apps), so it wouldn't be much use for OP but in theory they can use a modified Lemmy or a different hypothetical fedi platform that supports HTML and it should work Mostly Fine™ (granted Lemmy already has trouble federating with itself most of the time so that may not be the best user experience, but it can work)

[–] [email protected] 1 points 1 year ago

I didn't know that it accepted and translated HTML to be honest. Makes me wonder if there are any vulnerabilities based on the translation process, or if you can break out of it. Hmm.