XSF Discussion - 2015-11-28

  1. Link Mauve

    Sigh… https://github.com/candy-chat/candy/issues/445

  2. SamWhited

    This is why XHTML-IM needs to be replaced. I know technically it's secure, but it's too easy for people to screw it up.

  3. Link Mauve

    Web people manage to screw up without its help, you know.

  4. SamWhited

    Exactly, the situation is bad enough as is without us encouraging it :)

  5. Link Mauve

    I think on the contrary, specifying a whitelist helps people get things right.

  6. SamWhited

    Oh yah, the xep does it right, but no one actually reads standards.

  7. Link Mauve

    Meh, Candy’s latest version seems actually pretty buggy.

  8. SamWhited

    (I'm only sort of being facetious now...)

  9. daniel

    but hey html in text message is a really good idea

  10. Zash

    So are you submitting a patch? ;)

  11. Kevish

    I'm not convinced that removing xhtml-im would improve anything.

  12. Kevish

    People who just want pretty text and don't care about how they do it are no better off without a spec telling them they're being silly, certainly, and for people who want pretty text and do care, it's helpful to give a 'right way' to do it.

  13. Link Mauve

    I fully agree with that.

  14. SamWhited

    Nah, if we gave them basic-formatting-language-im I don't think they'd add script tags too it or inject out straight into the dom.

  15. Link Mauve

    You seem to be overestimating them.

  16. Zash

    That's exactly what would happen

  17. Link Mauve

    innerHTML is easy to use, and there is nothing that could harm the user in this new language right!

  18. SamWhited

    Fair enough :(

  19. SamWhited

    Yah, it's true; no idea where that burst of optimism came from, but you're right of course.

  20. Kevish

    Nor me, but it's obviously not healthy :)

  21. Link Mauve

    edhelas just reminded me that his client used to pass the body itself to the DOM. :p

  22. Link Mauve

    Without implementing XHTML-IM.

  23. SamWhited

    Theoretically the body is escaped though, so as long as you're not unescaping it you should be good (though it never hurts to double check).

  24. SamWhited

    I'm sure your could find a way to exploit it if you're sticking anything straight into the DOM

  25. Link Mauve

    No, there is no escaping in the strings you get from your XMPP library.

  26. Link Mauve

    It’s always the application role to escape things as they see fit.

  27. Kevish

    Right. The body's escaped on the wire, but what you get out of your XMPP lib isn't going to be.

  28. Zash

    unless it's a really bad lib made of regexes

  29. Link Mauve

    :D

  30. Zash

    Also depends on how you put stuff into the DOM

  31. Link Mauve

    innerHTML ALL the things. o/