The commonmark spec says:
For security reasons, the Unicode character
U+0000
must be replaced with the REPLACEMENT CHARACTER (U+FFFD
).
Is it just that nulls are string terminators in C, or is there something that makes it dangerous even outside of C?