I know use another markup language, like wiki syntax or textile is to
prevent javascript injection. But for user who don’t know about wiki
syntax or textile, I’m thinking about just allow them to enter plain
html, parse the content, and reject all questionable tags and
attributes, only allow predefined (safe) tags, like bold or italic,
etc.
Is using html for markup less secure than using non-html markup?