html default

[jonschlinkert]

I think we should consider setting html: true by default. Partially to be consistent with other markdown libraries, but also because I think this is what most users expect. But before we change it maybe we can get feedback from users, I might be wrong.

[puzrin]

I have no principal objection, if majority of users really need html to be enabled. Intention was to keep output safe by default, but we should not push users with my fiction ideas.

[jonschlinkert]

Intention was to keep output safe by default

ah, yes that's true. lol and same for me, I don't know what most users want. maybe we can keep this open a little longer to see if anyone cares. if a few days go by with no comments we can just close if that's okay with you

[jonathanong]

i wish there were a "safe html" option that removes stuff like onclick handlers and <script> tags. if that could be implemented, i think that should be default, though i don't see an easy way of doing that. maybe a client-side plugin.

[puzrin]

That's can't be implemented safe and easy way. So it doesn't worth to implement at all. If you need html sanitization - external package should be used. Or, if you need safe output immediately - disable html and write necessary syntax extentions via plugins

[jonschlinkert]

hey @jonathanong! so basically are you saying that your preference would that if html is turned on by default it should only be if for "safe html"? e.g. would that be a "deal killer"?

[jonathanong]

yes. if you had unsafe html as default, some developer who didn't read the docs will start complaining about security issues. better to avoid that :)

[jonschlinkert]

you make a great point... and this issue is officially resolved lol