Or else what? They release the report? That's standard and ffmpeg is open source anyway, anybody can find the bug on their own. There's no threat here.

If you're mad about companies using your software, then don't release it with a license allowing them to use it. Simple as that. I don't understand how people can complain about companies doing exactly what you allowed them to do.

> currently have zero real-world impact

So better we not talk about them until someone bothers to write an exploit for it?

> the "researchers" didn't even bother to write a patch/fix

If it has no real-world impact and thus shouldn't even be reported, then why does it need to be fixed?

It's enabled by default so all that's required to exploit it would be to construct a payload file and name it movie.mp4

Allow me to quote an article from Cleveland Clinic Journal of Medicine https://www.ccjm.org/content/85/7/529 (AI generated nonsense of course)

> Secondary drowning, sometimes called delayed drowning, is another term that is not medically accepted. The historical use of this term reflects the reality that some patients may worsen due to pulmonary edema after aspirating small amounts of water.

> Drowning starts with aspiration, and few or only mild symptoms may be present as soon as the person is removed from the water. Either the small amount of water in the lungs is absorbed and causes no complications or, rarely, the patient’s condition becomes progressively worse over the next few hours as the alveoli become inflamed and the alveolar-capillary membrane is disrupted. But people do not unexpectedly die of drowning days or weeks later with no preceding symptoms. The lungs and heart do not “fill up with water,” and water does not need to be pumped out of the lungs.

> There has never been a case published in the medical literature of a patient who underwent clinical evaluation, was initially without symptoms, and later deteriorated and died more than 8 hours after the incident. People who have drowned and have minimal symptoms get better (usually) or worse (rarely) within 4 to 8 hours. In a study of more than 41,000 lifeguard rescues, only 0.5% of symptomatic patients died.

Maybe don't set too much store by what some random "water rescue course" instructor tells you, especially if it sounds like complete bovine excrement.

And I do think there's an evenly applied rule, namely: always explicitly close all non-void elements. There are only 14 void elements anyway, so it's not too much to expect readers to know them. In your own words "there's no substitute for actually knowing the real rules".

I mean, your approach requires memorizing for which 15 elements the closing tag can be omitted anyway (otherwise you'll mentally parse the document wrong (i.e. thinking a br tag needs to be closed is equally likely as thinking p tags can be nested)).

The risk that somebody might be expecting a closing tag for an hr element seems minuscule and is a small price to pay for conveniences such as (as I explained above) being able to find and replace a p tag or a li tag to a div tag.

> And at a time when there was legitimate browser competition, the one that made a "best effort" to render invalid content was the winner.

Yes, my point is that there is no reason to still write "invalid" code just because it's supported for backwards compatibility reasons. It sounds like you ignored 90% of my comment, or perhaps you replied to the wrong guy?

> In the past, these terms were used to try to explain that some fatal drowning victims had very little water in their lungs at autopsy. Now it is understood that little water enters the lungs during drowning. Moreover, when water enters the lungs, it is rapidly absorbed when breathing starts again. The amount of water that enters the lung does not determine the amount of injury or determine the treatment of drowning. The amount of injury from drowning is due to how long the victim is without oxygen.

Source: Red Cross