We had the same thoughts. But the only reason I need to sanitize is because of rendering parsed markdown using raw/1, as Phoenix serves :safe strings by default (correct?). So my idea was the most safe place to sanitize is where I render raw html, and not assume the content has been sanitized beforehand.
Yea I’ve noticed html_sanitize_ex is used under the hood, and it’s possible to use the :markdown_html mode directly. But I have the feeling it’s meant to be used after markdown is parsed, only stripping the unsafe html and leaving the rest intact.
Either way, sanitizing markdown always seem to come with a downside (see my initial problem). I lose support for blockquotes in markdown (using strict :strip_tags mode). Or I allow users to use basic HTML as markup language (using :markdown_html or :basic_html mode).
Maybe I’m missing something here, but somehow both options are unsatisfying. Also please correct me if my logic fails here.
