From 493200bfbeaa01a0f4800c7fb609c7c4938857e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20Commaille?= Date: Mon, 26 Feb 2024 15:10:48 +0100 Subject: [PATCH] Deprecate `strike` HTML tag MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replace it with `s` or `del`. Signed-off-by: Kévin Commaille --- .../modules/instant_messaging.md | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/content/client-server-api/modules/instant_messaging.md b/content/client-server-api/modules/instant_messaging.md index 5fcf379f..28b627c2 100644 --- a/content/client-server-api/modules/instant_messaging.md +++ b/content/client-server-api/modules/instant_messaging.md @@ -37,9 +37,24 @@ HTML injection, and similar attacks. The strongly suggested set of HTML tags to permit, denying the use and rendering of anything else, is: `font`, `del`, `h1`, `h2`, `h3`, `h4`, `h5`, `h6`, `blockquote`, `p`, `a`, `ul`, `ol`, `sup`, `sub`, `li`, `b`, `i`, `u`, `strong`, `em`, -`strike`, `code`, `hr`, `br`, `div`, `table`, `thead`, `tbody`, `tr`, +`strike`, `s`, `code`, `hr`, `br`, `div`, `table`, `thead`, `tbody`, `tr`, `th`, `td`, `caption`, `pre`, `span`, `img`, `details`, `summary`. + +{{% boxes/note %}} +HTML features MAY be deprecated and replaced by their modern equivalent without +requiring a [Spec Change Proposal](/proposals) when they are deprecated in the +WHATWG HTML Living Standard. +{{% /boxes/note %}} + +{{% boxes/note %}} +{{% changed-in v="1.10" %}} + +The `strike` tag is deprecated. Clients MUST stop sending new messages using +this tag and replace it with `s` or `del`. +{{% /boxes/note %}} + + Not all attributes on those tags should be permitted as they may be avenues for other disruption attempts, such as adding `onclick` handlers or excessively large text. Clients should only permit the attributes