[jdev] Re: XHTML-IM XEP implementation
Alexander Gnauck [EMAIL PROTECTED] writes: but the max stanza size depends mostly on the server configuration. For ejabberd, the default limits are 64 kiB for c2s and 128 kiB for s2s. -- Magnus JID: [EMAIL PROTECTED]
Re: [jdev] Re: XHTML-IM XEP implementation
On Thu, 2007-01-04 at 11:57 -0700, Peter Saint-Andre wrote: So many times people have brought this up, but at no time has anyone written up a spec for it. I wonder why? Do you want to include *all* XHTML content? Scripts? Media objects? Forms? If so, feel free to write up a spec for that. To me, it seems like a bad idea. Indeed. And on top of that, client implementations that support XHTML-IM, are strongly urged to sanitize incoming messages instead of blindly feeding it to an embedded HTML renderer. This is how malware gets its chance. This also goes for a possible XHTML document enclosure XEP, or any other non-local data for that matter. -- Groetjes, ralphm
Re: [jdev] Re: XHTML-IM XEP implementation
Hi Maciek! Maciek Niedzielski schrieb: content:part type=text/html html xmlns=.../html /content:part Well this one would not work. HTML is based on SGML which cannot always directly included in XML. You will either have to include it escaping the special characters: content:part type=text/html lt;html xmlns=lt;/html /content:part Or you have to restrict it to use XHTML (which is based on XML as you know): content:part type=application/xhtml+xml html xmlns=.../html /content:part ... and you would have to define (either implicit or explicit) which types are included directly and which have to be escaped. Personally I prefere using XHTML instead of HTML. But if you are really XHTML (1.1) aware, you should also have no problems, that XHTML-IM has its own profile of XHTML. Due to my feelings it is correct, that we limit the set of allowed elements. If a client has problems implementing this, it is caused because they are trying to use a UI widget, that is designed for HTML and not for XHTML. But I am no client developper, so please let the other people discuss this topic ... Matthias -- Matthias Wimmer Fon +49-700 77 00 77 70 Züricher Str. 243Fax +49-89 95 89 91 56 81476 Münchenhttp://ma.tthias.eu/ smime.p7s Description: S/MIME Cryptographic Signature
Re: [jdev] Re: XHTML-IM XEP implementation
Hi I'm looking for a xss filter, but couldn't find a xslt based filter for xhtml. I make browser based jabber clients and the problem with xhtml (svg) is, that it is very difficult to get rid of javascript. If a cracker is able to execute javascript in my client, he is able to take over the account - that's not good. Here I tried to make a filter: http://lamp2.fh-stpoelten.ac.at/%7Elbz/beispiele/ws2006/xss/ If somebody has a better filter please tell me. Otherwise feel free to test and improve it. Bernhard Indeed. And on top of that, client implementations that support XHTML-IM, are strongly urged to sanitize incoming messages instead of blindly feeding it to an embedded HTML renderer. This is how malware gets its chance. This also goes for a possible XHTML document enclosure XEP, or any other non-local data for that matter.
[jdev] xmpp library for java
Hello there, I am looking for a Java library with a flexible API to manage a xmpp session. I already looked at smack however after I examined the code as I could not find the proper functionality I need I found this library to be ... somehow string-based :/ I need a library that can do the following tasks: 1. Create and analyze packages (in example iq, message...) in a DOM-like way: that means I want the possibility to create and analyse the complete root (iq, message, presence) elements and all the child-elements, namespaces, properties myself. 2. I can directly write to the output stream (send binary data through socket ) to the the server. P.s. 2. is optional; very important is 1.!! Thanks you for the quick help plz. ed -- Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer
Re: [jdev] xmpp library for java
On 1/5/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: P.s. 2. is optional; very important is 1.!! most libraries support 1, almost none support 2. I haven't used any java libs, so can't suggest good or bad ones. (You can always implement 2 by side-stepping the library and writing to the socket directly, but this is generally considered to be a bad idea. If you want to send custom stanzas then the library should support that) -- - Norman Rasmussen - Email: [EMAIL PROTECTED] - Home page: http://norman.rasmussen.co.za/
Re: [jdev] xmpp library for java
The new plugin-based framework for Echomine Feridian supports both 1 and 2. Unfortunately, documentation is fairly sparse at the moment because I haven't had a chance to write about it yet. The API javadocs are always fully documented though. http://open.echomine.org/ Thank You, Chris On Jan 5, 2007, at 5:26 AM, [EMAIL PROTECTED] wrote: Hello there, I am looking for a Java library with a flexible API to manage a xmpp session. I already looked at smack however after I examined the code as I could not find the proper functionality I need I found this library to be ... somehow string-based :/ I need a library that can do the following tasks: 1. Create and analyze packages (in example iq, message...) in a DOM- like way: that means I want the possibility to create and analyse the complete root (iq, message, presence) elements and all the child-elements, namespaces, properties myself. 2. I can directly write to the output stream (send binary data through socket ) to the the server. P.s. 2. is optional; very important is 1.!! Thanks you for the quick help plz. ed -- Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer
Re: [jdev] xmppping - simple XEP-0199 pinging script
Maciek Niedzielski wrote: Hi, I wrote a simple script that can be used for xmpp-pinging. http://machekku.uaznia.net/jabber/xmppping/xmppping-0.1.tar.gz (requires python and PyXMPP) It tries to mimic ping command, so should be not so hard to use ;) Cool, thanks! A nice thing in the XEP is that even if other entity does not support the XEP, it will return an error, which serves for a pong. However, it is important to notice that not every error response is a pong. The XEP suggest using cancel/service-unavailable. cancel/feature-not-implemented (sent by jabberd2) sounds fine, too. However, there are errors like wait/recipient-unavailable which are definitely not pongs. So implementors should be careful about what they accept as pongs. Other thing: when pinging new jabberd14 on amessage.de, I noticed that it sends a pong when I pinging a (most probably) unexisting account (I used a random node and resource). I'm not sure if this is the right thing to do. I think the rule is that server should not respond for Iq sent to a full JID. See here: http://www.xmpp.org/internet-drafts/draft-saintandre-rfc3921bis-00.html#rules Returning service-unavailable/ is the right thing to do here (at least according to the spec). Peter -- Peter Saint-Andre Jabber Software Foundation http://www.jabber.org/people/stpeter.shtml smime.p7s Description: S/MIME Cryptographic Signature
Re: [jdev] xmppping - simple XEP-0199 pinging script
Peter Saint-Andre wrote: See here: http://www.xmpp.org/internet-drafts/draft-saintandre-rfc3921bis-00.html#rules Hmm... I just noticed something. Let's say we're pinging a client which does not support ping namespace: Example 9. Ping Not Supported iq from='[EMAIL PROTECTED]/chamber' to='[EMAIL PROTECTED]/home' id='ping345' type='result' ping xmlns='urn:xmpp:ping'/ error type='cancel' service-unavailable xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/ /error /iq Now 3921bis says: 3. Else if the JID is of the form [EMAIL PROTECTED]/resource and no connected or available resource matches the full JID, the recipient's server (...) MUST return a service-unavailable/ stanza error to the sender if it is an IQ stanza So the reply above may mean both a pong and a not-pong, and it's impossible to tell the difference. BTW: What happened to feature-not-implemented? -- Maciek A: It's against natural order of reading. xmpp:[EMAIL PROTECTED] Q: Why is that? xmpp:[EMAIL PROTECTED] A: People answering above quoted text. Q: What's the most annoying on newsgroups? signature.asc Description: OpenPGP digital signature
Re: [jdev] xmppping - simple XEP-0199 pinging script
Maciek Niedzielski wrote: Peter Saint-Andre wrote: See here: http://www.xmpp.org/internet-drafts/draft-saintandre-rfc3921bis-00.html#rules Hmm... I just noticed something. Let's say we're pinging a client which does not support ping namespace: Example 9. Ping Not Supported iq from='[EMAIL PROTECTED]/chamber' to='[EMAIL PROTECTED]/home' id='ping345' type='result' ping xmlns='urn:xmpp:ping'/ error type='cancel' service-unavailable xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/ /error /iq Now 3921bis says: 3. Else if the JID is of the form [EMAIL PROTECTED]/resource and no connected or available resource matches the full JID, the recipient's server (...) MUST return a service-unavailable/ stanza error to the sender if it is an IQ stanza So the reply above may mean both a pong and a not-pong, and it's impossible to tell the difference. That's right, it's impossible to tell the difference. And that's a feature, because we try to discourage directory harvesting attacks. Peter -- Peter Saint-Andre Jabber Software Foundation http://www.jabber.org/people/stpeter.shtml smime.p7s Description: S/MIME Cryptographic Signature
Re: [jdev] xmppping - simple XEP-0199 pinging script
Peter Saint-Andre wrote: Maciek Niedzielski wrote: Peter Saint-Andre wrote: http://www.xmpp.org/internet-drafts/draft-saintandre-rfc3921bis-00.html#rules Let's say we're pinging a client which does not support ping namespace: Example 9. Ping Not Supported iq from='[EMAIL PROTECTED]/chamber' to='[EMAIL PROTECTED]/home' id='ping345' type='result' ping xmlns='urn:xmpp:ping'/ error type='cancel' service-unavailable xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/ /error /iq Now 3921bis says: 3. Else if the JID is of the form [EMAIL PROTECTED]/resource and no connected or available resource matches the full JID, the recipient's server (...) MUST return a service-unavailable/ stanza error to the sender if it is an IQ stanza So the reply above may mean both a pong and a not-pong, and it's impossible to tell the difference. That's right, it's impossible to tell the difference. And that's a feature, because we try to discourage directory harvesting attacks. So it's quite funny that server devs rushed to implement this XEP, while it is more important to have client implementations, since server's service-unavailable error reply always means a pong, while client's error reply has no known meaning. -- Maciek A: It's against natural order of reading. xmpp:[EMAIL PROTECTED] Q: Why is that? xmpp:[EMAIL PROTECTED] A: People answering above quoted text. Q: What's the most annoying on newsgroups? signature.asc Description: OpenPGP digital signature
Re: [jdev] xmpp library for java
[EMAIL PROTECTED] napisal(a): I am looking for a Java library with a flexible API to manage a xmpp session. Hello! You can try jaxmpp library (https://svn.tigase.org/reps/jaxmpp/trunk). But remember: this is library in very early development stage. If you decided to use jaxmpp, you can contact directly with me via email or jabber for help. Regards. -- Bartosz Małkowski JID: [EMAIL PROTECTED]
Re: [jdev] xmpp library for java
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] napisal(a): I am looking for a Java library with a flexible API to manage a xmpp session. Hello! You can try jaxmpp library (https://svn.tigase.org/reps/jaxmpp/trunk). But remember: this is library in very early development stage. If you decided to use jaxmpp, you can contact directly with me via email or jabber for help. Regards. - -- Bartosz Małkowski JID: [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFnqq+NjFnqIXYF+URAiT2AJ9D7W/vRBrA0wI+vJCl5p6Z25HuSwCfYUdo omyz9VeiC/tJzX8aCLu8P9U= =tm2H -END PGP SIGNATURE-