Are there any benefits of using Markdown to HTML (talking here mainly about WYSIWYG used in websites by non-tech users)? I've seen that even for a sanitized HTML, a user can inject many unkown patterns like <p><br></p> and make the input look ugly when rendered again. Is Markdown more secure and more performant at client side? What are the best javascript libraries for both options (exlcuding React.js, Vue.js, etc.based libraries)?
Markdown is quicker to write and non-programmers seem to have an easier time understanding it. Other than that I don't really have any insights.
Ben Buchanan (200ok)
I make some bits of the web.
I wouldn't present users with raw HTML in any case. Either give them a rich text editor like CKEditor or give them something like Markdown, Textile, etc. Even light abstractions like Markdown are a little tough for non-tech users, though - many still expect a word-processor-like experience (even though most word processors are awful, people still want that relatively-familiar WYSIWYG UI).
So for usability:
Regardless of the solution you choose, security will depend on how well you sanitise the data on the server side. You have to assume that your attacker is messing with your app in every possible way on the client side.
Think of client-side as doing input assistance while the server side does input sanitation. The client side helps enter the right stuff, the server makes sure they didn't enter anything dangerous.