From 493200bfbeaa01a0f4800c7fb609c7c4938857e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20Commaille?= Date: Mon, 26 Feb 2024 15:10:48 +0100 Subject: [PATCH 1/5] Deprecate `strike` HTML tag MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replace it with `s` or `del`. Signed-off-by: Kévin Commaille --- .../modules/instant_messaging.md | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/content/client-server-api/modules/instant_messaging.md b/content/client-server-api/modules/instant_messaging.md index 5fcf379f6..28b627c26 100644 --- a/content/client-server-api/modules/instant_messaging.md +++ b/content/client-server-api/modules/instant_messaging.md @@ -37,9 +37,24 @@ HTML injection, and similar attacks. The strongly suggested set of HTML tags to permit, denying the use and rendering of anything else, is: `font`, `del`, `h1`, `h2`, `h3`, `h4`, `h5`, `h6`, `blockquote`, `p`, `a`, `ul`, `ol`, `sup`, `sub`, `li`, `b`, `i`, `u`, `strong`, `em`, -`strike`, `code`, `hr`, `br`, `div`, `table`, `thead`, `tbody`, `tr`, +`strike`, `s`, `code`, `hr`, `br`, `div`, `table`, `thead`, `tbody`, `tr`, `th`, `td`, `caption`, `pre`, `span`, `img`, `details`, `summary`. + +{{% boxes/note %}} +HTML features MAY be deprecated and replaced by their modern equivalent without +requiring a [Spec Change Proposal](/proposals) when they are deprecated in the +WHATWG HTML Living Standard. +{{% /boxes/note %}} + +{{% boxes/note %}} +{{% changed-in v="1.10" %}} + +The `strike` tag is deprecated. Clients MUST stop sending new messages using +this tag and replace it with `s` or `del`. +{{% /boxes/note %}} + + Not all attributes on those tags should be permitted as they may be avenues for other disruption attempts, such as adding `onclick` handlers or excessively large text. Clients should only permit the attributes From 4597fcd84c0a57292d4ef119e6ecb7a5b1adea4f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20Commaille?= Date: Mon, 26 Feb 2024 15:17:49 +0100 Subject: [PATCH 2/5] Add changelog MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Kévin Commaille --- changelogs/client_server/newsfragments/1732.feature | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelogs/client_server/newsfragments/1732.feature diff --git a/changelogs/client_server/newsfragments/1732.feature b/changelogs/client_server/newsfragments/1732.feature new file mode 100644 index 000000000..70a43a0c0 --- /dev/null +++ b/changelogs/client_server/newsfragments/1732.feature @@ -0,0 +1 @@ +Deprecate the `strike` HTML tag and introduce the `s` tag as a possible replacement. \ No newline at end of file From 34579a6a9e8c31e035b12813082b7763c3959401 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20Commaille?= Date: Tue, 27 Feb 2024 10:33:43 +0100 Subject: [PATCH 3/5] Remove strike deprecation and add added-in annotation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Kévin Commaille --- .../client_server/newsfragments/1732.clarification | 1 + changelogs/client_server/newsfragments/1732.feature | 1 - content/client-server-api/modules/instant_messaging.md | 10 +--------- 3 files changed, 2 insertions(+), 10 deletions(-) create mode 100644 changelogs/client_server/newsfragments/1732.clarification delete mode 100644 changelogs/client_server/newsfragments/1732.feature diff --git a/changelogs/client_server/newsfragments/1732.clarification b/changelogs/client_server/newsfragments/1732.clarification new file mode 100644 index 000000000..30caf4358 --- /dev/null +++ b/changelogs/client_server/newsfragments/1732.clarification @@ -0,0 +1 @@ +Document the deprecation policy of HTML tags. \ No newline at end of file diff --git a/changelogs/client_server/newsfragments/1732.feature b/changelogs/client_server/newsfragments/1732.feature deleted file mode 100644 index 70a43a0c0..000000000 --- a/changelogs/client_server/newsfragments/1732.feature +++ /dev/null @@ -1 +0,0 @@ -Deprecate the `strike` HTML tag and introduce the `s` tag as a possible replacement. \ No newline at end of file diff --git a/content/client-server-api/modules/instant_messaging.md b/content/client-server-api/modules/instant_messaging.md index 485a07492..cde5b9422 100644 --- a/content/client-server-api/modules/instant_messaging.md +++ b/content/client-server-api/modules/instant_messaging.md @@ -48,21 +48,13 @@ tags to permit, denying the use and rendering of anything else, is: `s`, `code`, `hr`, `br`, `div`, `table`, `thead`, `tbody`, `tr`, `th`, `td`, `caption`, `pre`, `span`, `img`, `details`, `summary`. - {{% boxes/note %}} +{{% added-in v="1.10" %}} HTML features MAY be deprecated and replaced by their modern equivalent without requiring a [Spec Change Proposal](/proposals) when they are deprecated in the WHATWG HTML Living Standard. {{% /boxes/note %}} -{{% boxes/note %}} -{{% changed-in v="1.10" %}} - -The `strike` tag is deprecated. Clients MUST stop sending new messages using -this tag and replace it with `s` or `del`. -{{% /boxes/note %}} - - Not all attributes on those tags should be permitted as they may be avenues for other disruption attempts, such as adding `onclick` handlers or excessively large text. Clients should only permit the attributes From 4982abb1677a3a784dd17c355359d82e9cdcf0ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20Commaille?= <76261501+zecakeh@users.noreply.github.com> Date: Wed, 28 Feb 2024 09:49:54 +0100 Subject: [PATCH 4/5] Add link to HTML standard Co-authored-by: Hubert Chathi --- content/client-server-api/modules/instant_messaging.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/client-server-api/modules/instant_messaging.md b/content/client-server-api/modules/instant_messaging.md index cde5b9422..fd05b74b1 100644 --- a/content/client-server-api/modules/instant_messaging.md +++ b/content/client-server-api/modules/instant_messaging.md @@ -52,7 +52,7 @@ tags to permit, denying the use and rendering of anything else, is: {{% added-in v="1.10" %}} HTML features MAY be deprecated and replaced by their modern equivalent without requiring a [Spec Change Proposal](/proposals) when they are deprecated in the -WHATWG HTML Living Standard. +[WHATWG HTML Living Standard](https://html.spec.whatwg.org/multipage/). {{% /boxes/note %}} Not all attributes on those tags should be permitted as they may be From 5befbfcfa9b3241593ec8e58e0e75dd3892a188c Mon Sep 17 00:00:00 2001 From: Travis Ralston Date: Sat, 2 Mar 2024 17:09:47 -0700 Subject: [PATCH 5/5] Update changelogs/client_server/newsfragments/1732.clarification --- changelogs/client_server/newsfragments/1732.clarification | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelogs/client_server/newsfragments/1732.clarification b/changelogs/client_server/newsfragments/1732.clarification index 30caf4358..61e74c6cf 100644 --- a/changelogs/client_server/newsfragments/1732.clarification +++ b/changelogs/client_server/newsfragments/1732.clarification @@ -1 +1 @@ -Document the deprecation policy of HTML tags. \ No newline at end of file +Document the deprecation policy of HTML tags, as per [MSC4077](https://github.com/matrix-org/matrix-spec-proposals/pull/4077). \ No newline at end of file