On Wed, Mar 7, 2018, at 12:33, Kozlov Konstantin wrote: > So, the only reason to obsolete the XEP is not the XEP itself, but bad > implementations?
In a sense. Fixing the existing broken implementation doesn't fix the underlying problem though. It's more about the fact that any tiny mistake when implementing the XEP will likely create a security issue (as we have seen in the real world). Because even if you implement a whitelist (which is technically secure) it is a whitelist on top of a very large, complicated system with many different attack vectors. If you make any sort of mistake when implementing that whitelist, you potentially expose the underlying complicated system (XHTML). If we can build something simpler on top of a less complicated system, we can hopefully avoid some of these issues. —Sam _______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org _______________________________________________
