HTML should be sanitized in messages

[danmarshall]

A customer reported that a message containing HTML tags was being rendered:

the following html tag should not be enabled: <a href='http://example.com'>example</a>

[danmarshall]

1. Sanitize the html to remove any scripting
2. Whitelist to only the tags that we support
3. Add “target=_blank” to hyperlinks.

[billba]

Do other chat clients allow any HTML at all in their markdown?

(Here I'm ignoring the "xml" message format, which supports just a handful of whitelisted tags.)

[danmarshall]

@billba no, they don't.

[billba]

Then rather than sanitize, I vote we strip HTML out entirely. I think that's what we did before.

[danmarshall]

I agree personally, we are circulating the idea internally.

[eanders-ms]

HTML support in markdown varies widely from client to client. GitHub has pretty rich support for it. Telegram supports basic font formatting tags; Skype too.

[billba]

Oh okay, so what Dan said is not true. It is supported in some clients. That changes my opinion.

DAN WHY MUST YOU LIE SO

[danmarshall]

@reyesrico - can you create a matrix of which channels support HTML?

[reyesrico]

Channel	Markdown Support	HTML in Markdown Support
Bing	Yes	No
Cortana	Yes	No
Facebook	No	-
GroupMe	No	-
Kik	No	-
Slack	Partial	No
Telegram	Yes	No
Twillio (Web)	No	-
WeChat	No	-
Email	Yes	Yes
Microsoft Teams	Partial	Partial
Skype	Partial	Partial
Skype for Business	Partial	Partial
WebChat	Yes	No

[nwhitmont]

@danmarshall What's the latest?

[billba]

@reyesrico I'm having trouble parsing this table. I think the actual question we are asking is "For each channel that supports Markdown, does it render embedded HTML in Markdown?"

[danmarshall]

@billba - I see. Yes I can just re-order the columns. And then put n/a in the HTML cell if markdown isn't supported on that channel.

[danmarshall]

Table has been updated.

[billba]

Much clearer, thanks!

[MathBunny]

Hello, how would I render a table then inside a WebChat? Is it possible? I previously used to render tables through my bot

[AmolPawarGitHub]

HTML in iframe webchat does not render.I have used HTML tags like table tags to show data in bot and now the output looks like a mess. What is the solution for this?

[corinagum]

Fixed in v4