This has been shown a few times: edit messages will be parsed as Discord Markdown and this has implications.
I think it might be good to prevent the following in edit messages:
[ ] Links with displayed text
[ ] Pinging via edit messages
[ ] Clickable links entirely maybe?
The first two could be done by escaping the following six characters with a \ prefix: ()[]<>; clickable links could be done by escaping the / character.
My rationale here is that we don't necessarily want people pinging or inserting misleading links into edit messages, but maybe opinions differ?
For reference, this is what seems to be the official documentation for Discord Markdown: Discord Markdown Text 101
Edit (2023-10-20): Since then, I've seen some more situations, like a user with a username that formats text with __. It might be good to just sanitize everything.
Note this is applicable to more than just edit messages. Anywhere the bot relays text provided by a human, has the potential to contain Discord markdown. Some examples:
This has been shown a few times: edit messages will be parsed as Discord Markdown and this has implications.
I think it might be good to prevent the following in edit messages:
The first two could be done by escaping the following six characters with a
\
prefix:()[]<>
; clickable links could be done by escaping the/
character.My rationale here is that we don't necessarily want people pinging or inserting misleading links into edit messages, but maybe opinions differ?
For reference, this is what seems to be the official documentation for Discord Markdown: Discord Markdown Text 101
Edit (2023-10-20): Since then, I've seen some more situations, like a user with a username that formats text with
__
. It might be good to just sanitize everything.