Since the text is supposed to be plain text ( except for mentions etc), such deletion or processing should not ideally be done.

Same kind of behavior is seen in nostr.io just for the record. and I guess many other web clients.

yes bc I think allowing this opens you up to xss attacks in javascript runtime env. so its really a feature not a bug.

do you have any documentation on why it is safe to display this? everything I found seemed to say its not safe.

Making sure that the string is not an attack is of primary importance. I am just highlighting that after that has been done, and maybe the characters are removed/modified/escaped if needed, then the content should get displayed.

I take it there would be way to escape the character if nothing else works, or just remove it if needed, to make it less dangerous.

Worse case scenario: a removed <> characters would be better than nothing imo.

Its not a high priority thing, and doubt gets used a lot, but I recently got into it thats why I raised this.

yeah I am just using a library to sanitize the content and I don't have the experience to roll my own sanitization. sorry but I don't think there is anything else to do here. unless you have other suggestions I am going to close.