I've ranted before about quotification.
In the link is described the HTML that Mediawiki allows in wiki pages - i.e. the stuff it passes through.
More basically, Mediawiki must not allow arbitrary user text. In particular, it must not allow text that would interfere with the HTML that Mediawiki is itself producing.
Now, that last is what my "modest proposal for quotification" specifically attacks: basically add a tag bit to every character that the user inserts, so that it can be distinguished from mediawiki added HTML.
But my "modest proposal" would disallow any user added HTML. Except for the user added HTML that Mediawiki specifically whitelists, finds, filters, and explicitly removes the tag bit from. And, of course, any bugs in that procedure could lead to security holes...
At least HTML, XML, etc. is easy enough to parse that Mediawiki can filter out anything that isn't on the whitelist. It does not have to worry TOO MUCH that new syntax will be added that it does not know about. That's the joy about HTML/XML: the syntax is (relatively) stable. Extensions can be added by adding new elements and attributes, but existing parsers can recognize such additions, and decide to pass them through or filter them out.
- specially marked stuff.) I.e. no switching to white on white zero size.
the above is a blacklist. Or a whitelist:
and so on.
Whitelist the capabilities.
Not necessarily the text.
Whitelist what the code does. Not the input.