Dear Richard,
I agree very much - it is always a distinction between features and
flexibility vs. potential exploits etc. : who said java, javascript, word
macros etc...
However I do not agree with your point that jabber is already flexible
enough due to its reliance on XML.
XML is just a protocol for metatyping data structures. XML does not
contain any logics, loop constructs nor control statements and certainly
not any sort of mathematical manipulation.
This results in a rigid framework where one has to create external
components for every damn little service one wishes to create ontop of the
jabber server.
Thats what Im searching for with respect to a solution - I dont care if it
is a scripting solution, a backend solution or something third; but
adding some middleware (perl, python, ..., other high level language) to
jabber would be really nice.
Let me give just one more example, DJ Adams coffee machine check. Say Mr.
Adams would like to get a statistical analysis of whom uses his external
component.
What is required would be that his external component puts a flag in a
database. Then he should add a namespace via xdb in order to retrieve the
stats and have an external component that catches this packet and does a
SQL statement.
Lets assume this works so that I can say:
<iq type="get">
<query xmlns="coffee:stats"/>
</iq>
And the result being a top10 (its just bogus packets, which cant be used...):
<iq type="result">
<item>
<username>blabla</username>
<visits>10</visits>
</item>
<item>
<username>blabla</username>
<visits>5</visits>
</item>
<item>
<username>blabla</username>
<visits>3</visits>
</item>
....etc.
</iq>
Ok, lets say that now I want a top 20.
In jabber what I must do now is to create a new namespace that expands to
a SQL stament that fetches the 20 best.
Now I want a top 100. Same story.
What is missing? a method for passing data along with a iq-get packet:
<iq type="get">
<query xmlns="coffee:stats">
<top>20</top>
</query>
</iq>
Such a packet is not allowed. The <top> section is simply chopped off...!
Why? Because jabber was appearently not intended to anything but instant
messenger.
In the game I have done which uses jabber as XML socket server, I have
some +20 different namespaces many of which have exactly the same function
just different parameters.
It might be me who is lame and doesnt understand how to use JEP 004 but I
think many many developers out there have had similar problems - I know
since I have had private questions from some 10 different persons asking
how I have done the external component.
best regards,
Bernino Lind
>> What I picture is that one could have a scripting languague within the
>> packets, for example:
>>
>> <iq type="get">
>> <query xmlns="bla bla">
>> <script>
>> @users=fetchroster(1,2,3);
>> for ($i=0; $i<[EMAIL PROTECTED]) {
>> echo "<message [EMAIL PROTECTED]> In my new roster bla bla ";
>> }
>> createrostergroup(@users, "newrostergroup");
>> return @users;
>> </script>
>> </query>
>> </iq>
>
> Sorry but to me anyone doing something like this should be shot, having
> scripting send inside packets to be processed by the endpoint like this
> is a security hole of an enormous magnetude, and we definately should
> not be doing anything like this. This is kind of like word macros, it
> can have some benefits but the potential for abuse is massive, it would
> require all sorts of extra security stuff to even attempt to secure it.
> Overall I think the downsides are far more than the benefit of the
> convenience, the best thing is to continue doing what we have been doing
> and creating protocols for set purposes. We don't need the flexibility
> of a scripting system as we already have the flexibility/extensibility
> of XML and the jabber protocol to do things like this without creating
> massive security holes.
>
> Richard
>
> _______________________________________________
> jdev mailing list
> [EMAIL PROTECTED]
> http://mailman.jabber.org/listinfo/jdev
_______________________________________________
jdev mailing list
[EMAIL PROTECTED]
http://mailman.jabber.org/listinfo/jdev
