On 12 October 2017 at 19:43, Georg Lukas wrote:
> My primary use case of XHTML-IM is syntax-colored code, so what I wish
> for is:
>
> - pre-formatted text
> - different foreground colors
> - bold, italics, underline
>
So for this, I'm thinking we should go the snippets route. That is,
these sort
On Thu, Oct 12, 2017, at 13:43, Georg Lukas wrote:
> The web as an application platform is a monster that's almost impossible
> to deploy securely. I'm sure you'll find XSS vulnerabilities in most
> web-based XMPP clients, with or without XHTML-IM support. Fixing this
> one hole will not make the i
Hi Sam,
* Sam Whited [2017-10-11 22:44]:
> I'd like to suggest (again) that we obsolete XHTML-IM. If the easy way
> to implement a spec is insecure, you can be sure users will do that. We
> can't guarantee security in a spec, but we can certainly make something
> that's harder than XHTML-IM to im
On 12 October 2017 at 16:32, Jonas Wielicki wrote:
> On Donnerstag, 12. Oktober 2017 15:58:02 CEST Dave Cridland wrote:
>> On 12 October 2017 at 15:19, Sam Whited wrote:
>> > On Thu, Oct 12, 2017, at 03:09, Dave Cridland wrote:
>> >> I would note that in principle, a content security policy ought
On Thu, Oct 12, 2017, at 10:49, Sam Whited wrote:
> On Thu, Oct 12, 2017, at 10:32, Jonas Wielicki wrote:
> > TL;DR: I strongly prefer revising XHTML-IM to a more sane subset of XHTML
>
> This is missing the point and will not help. If people are breaking it
> now because it's easier just to slap
On Thu, Oct 12, 2017, at 10:32, Jonas Wielicki wrote:
> TL;DR: I strongly prefer revising XHTML-IM to a more sane subset of XHTML
This is missing the point and will not help. If people are breaking it
now because it's easier just to slap whatever the user sent in the DOM,
or because of subtle issu
On Donnerstag, 12. Oktober 2017 15:58:02 CEST Dave Cridland wrote:
> On 12 October 2017 at 15:19, Sam Whited wrote:
> > On Thu, Oct 12, 2017, at 03:09, Dave Cridland wrote:
> >> I would note that in principle, a content security policy ought to
> >> prevent such attacks outright.
> >>
> >> But th
Le jeudi 12 octobre 2017, 16:58:02 CEST Dave Cridland a écrit :
> On 12 October 2017 at 15:19, Sam Whited wrote:
> > On Thu, Oct 12, 2017, at 03:09, Dave Cridland wrote:
> >> I would note that in principle, a content security policy ought to
> >> prevent such attacks outright.
> >>
> >> But there
On Thu, Oct 12, 2017, at 09:58, Dave Cridland wrote:
> It's clearly not orthogonal, since simply getting rid of XHTML-IM is
> not deprecating it in favour of anything else.
I didn't quite follow that. I'm suggesting we don't have to have a
replacement already prepared before we obsolete XHTML-IM,
On 12 October 2017 at 15:19, Sam Whited wrote:
> On Thu, Oct 12, 2017, at 03:09, Dave Cridland wrote:
>> I would note that in principle, a content security policy ought to
>> prevent such attacks outright.
>>
>> But there would, probably, remain several other innovative attacks,
>> such as passing
On Thu, Oct 12, 2017, at 03:09, Dave Cridland wrote:
> I would note that in principle, a content security policy ought to
> prevent such attacks outright.
>
> But there would, probably, remain several other innovative attacks,
> such as passing client-specific markup intended to duplicate existing
On Thu, Oct 12, 2017, at 01:26, Jonas Wielicki wrote:
> I prepared a pull request to clarify the wording [1].
Thanks, it's always good to try and make these things clearer.
> Well, yes, but that’s the issue with doing webapps, right?
Sure, you always have to be careful of this. XHTML-IM just mak
On 12.10.2017 14:30, Jonas Wielicki wrote:
> On Donnerstag, 12. Oktober 2017 13:42:42 CEST Goffi wrote:
>> Le jeudi 12 octobre 2017, 13:13:17 CEST Dave Cridland a écrit :
>>> So can something like the following work:
>>>
>>> Hello
>>
>> no: styles are white listed and background-image is not accept
On Thu, Oct 12, 2017 at 10:27:43AM +0200, Goffi wrote:
> There are dozen of flavours of [Markdown], not always compatibles, it's not a
> syntax adapted for XML, and it's really limited (no table/color by default
> for
> instance). Markdown is not standardized, which make it quite a bad choice to
On Donnerstag, 12. Oktober 2017 13:42:42 CEST Goffi wrote:
> Le jeudi 12 octobre 2017, 13:13:17 CEST Dave Cridland a écrit :
> > So can something like the following work:
> >
> > Hello
>
> no: styles are white listed and background-image is not accepted + values
> are parsed and url is not accept
Le jeudi 12 octobre 2017, 13:13:17 CEST Dave Cridland a écrit :
> But out of curiosity, do you allow inline style in your uses of XHTML-IM?
yes
> So can something like the following work:
>
> Hello
no: styles are white listed and background-image is not accepted + values are
parsed and url is
On 12 October 2017 at 09:27, Goffi wrote:
> Hi David,
>
> Le jeudi 12 octobre 2017, 10:09:41 CEST Dave Cridland a écrit :
>
>> There are dozens of quite reasonable Markdown libraries in Javascript.
>> These will handle, suppress, and otherwise deal with embedded HTML.
>> Every other IM system I ca
Hi David,
Le jeudi 12 octobre 2017, 10:09:41 CEST Dave Cridland a écrit :
> There are dozens of quite reasonable Markdown libraries in Javascript.
> These will handle, suppress, and otherwise deal with embedded HTML.
> Every other IM system I can find just does Markdown of some flavour.
> XHTML i
On 11 October 2017 at 21:42, Sam Whited wrote:
> Hi all,
>
> I recently tried out another service that supported XEP-0071: XHTML-IM
> [1]. Like all other web-based services with XHTML-IM support that I've
> tried, it was vulnerable to a trivial script injection. When I say
> "all", I really do mea
Le mercredi 11 octobre 2017, 22:42:45 CEST Sam Whited a écrit :
the years and we should obsolete as quickly as possible.
>
> Thoughts?
>
> —Sam
>
> [1]: https://xmpp.org/extensions/xep-0071.html
Hi Sam,
I'm totally opposed to deprecate a spec because of bugged implementation.
XHTML-IM is a r
20 matches
Mail list logo