On Thu, Oct 12, 2017, at 13:43, Georg Lukas wrote: > The web as an application platform is a monster that's almost impossible > to deploy securely. I'm sure you'll find XSS vulnerabilities in most > web-based XMPP clients, with or without XHTML-IM support. Fixing this > one hole will not make the ignorant developers smarter automatically, > thus preventing further XSS.
No one ever said it would. The point is not, and never has been, to come up with a panacea to magically fix all XSS' in all clients. > What I would like to see before changing my mind is an actual (rough) > idea of a new formatting specification that will be easy to do right, on > the web. The more features we add, the more ways there will be for evil > HTML to slip through the filters, or the bigger the developers' > inclination to just drop-in some library that automagically converts the > input into HTML, opening a wide attack vector once again. I would like to see such a thing too, but I still don't understand why we'd want to wait on having one to obsolte XHTML-IM and stop recommending that people implement it. Remember, existing implementations won't just dissapear because we obsolete it, we don't have to have an upgrade path for them. > I don't want to end up reinventing XHTML-IM with all the features it > has now, in a different format, and ending up in the same security > nightmare we are in at the moment, except that we'll have killed off > most of the currently existing implementations of XMPP with markup. I agree, we don't want to build something that has the same flaws. I disagree that we'll be killing anything off though. XEP-0016 was deprecated, and I didn't see everyone suddenly decide to immediately drop support for it. It still exists in ejabberd, gajim, etc. —Sam _______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org _______________________________________________
