Hi! On Tue, Jul 7, 2009 at 11:21, Bernd Fondermann<bf_...@brainlounge.de> wrote: >> Don't trust the sender with the "to" address, use the one in the >> sessionContext. > > Now _you_ are getting overly defensive. ;-) > > If my mind serves me right, the to address has been checked before (in > ProtocolWorker?), so it's save to use it. And I don't think > getServerJID() will neccessarily give you the right one in every case > either.
Currently it should (why not?), but as soon as we allow components to have different domains it doesn't anymore. Anyway, the JID for the module should be configured elsewhere, and not take from the request. I'll fix that too tonight. Michael
