- Developpers and users often don’t understand, that markdown output can be NOT safe.
- Sanitizers quality & setups can vary.
I think, test vectors from article above can be interesting to developpers, responsible for final apps security.
Sanitization should always be a separate post-process from markdown. Markdown should be treated equivalently to a user providing raw HTML.