Do not mention the format war.

Once upon a time, we had XHTML-IM https://xmpp.org/extensions/xep-0071.html

But then web developers came along and just put this directly into the DOM of their web clients, leading to endless XXS exploits, so XEP-0071 was burned at the stake.

XEP-0393 might look ad-hoc, but it's essentially what people were typing into their chats and emails since time immemorial.

People sometimes think this is Markdown and then pick a markdown library off the shelf and then the HTML passtrough bites them, leading us back to the beginning.

I really don't understand how Matrix and Mastodon etc are allowed to pass around HTML embedded in JSON as if that somehow solves all those problems.

Tbh if a client is dumb enough to put xhtml-im directly into DOM with no verification that is the client's problem, not the XEP's, and that should be no reason to cancel it.

Well, if it was _a_ client. But if 100% of clients make the same mistake, then it is the spec that is the problem, or so the argument went.

Maybe one day xhtml-im will make a glorious return as a 2.0, with bigger, better and scarier warnings about sanitizing your inputs