I think a lot of people probably get burned not realizing that the Markdown spec includes all valid HTML by default.<p>Still, I don't think building a Markdown parser that doesn't sanitize or whitelist allowed tags by default is really excusable, even if it would be slower.<p>And i've seen several mvp projects posted here that crash if you so much as post an empty form. It seems to be an easy thing to forget.
At least they did something cute/funny rather than fullscreen a liveleak gore video or worse. :)<p><i>>This has also made me a more fervent believer in security-by-default.</i><p>I've yet to understand why anyone would be against security-by-default. How many users would rather have set of [x] features that for whatever reason require an insecure setup compared to those who would prefer a secure setup?