-
Link Mauve
Sigh… https://github.com/candy-chat/candy/issues/445
-
SamWhited
This is why XHTML-IM needs to be replaced. I know technically it's secure, but it's too easy for people to screw it up.
-
Link Mauve
Web people manage to screw up without its help, you know.
-
SamWhited
Exactly, the situation is bad enough as is without us encouraging it :)
-
Link Mauve
I think on the contrary, specifying a whitelist helps people get things right.
-
SamWhited
Oh yah, the xep does it right, but no one actually reads standards.
-
Link Mauve
Meh, Candy’s latest version seems actually pretty buggy.
-
SamWhited
(I'm only sort of being facetious now...)
-
daniel
but hey html in text message is a really good idea
-
Zash
So are you submitting a patch? ;)
-
Kevish
I'm not convinced that removing xhtml-im would improve anything.
-
Kevish
People who just want pretty text and don't care about how they do it are no better off without a spec telling them they're being silly, certainly, and for people who want pretty text and do care, it's helpful to give a 'right way' to do it.
-
Link Mauve
I fully agree with that.
-
SamWhited
Nah, if we gave them basic-formatting-language-im I don't think they'd add script tags too it or inject out straight into the dom.
-
Link Mauve
You seem to be overestimating them.
-
Zash
That's exactly what would happen
-
Link Mauve
innerHTML is easy to use, and there is nothing that could harm the user in this new language right!
-
SamWhited
Fair enough :(
-
SamWhited
Yah, it's true; no idea where that burst of optimism came from, but you're right of course.
-
Kevish
Nor me, but it's obviously not healthy :)
-
Link Mauve
edhelas just reminded me that his client used to pass the body itself to the DOM. :p
-
Link Mauve
Without implementing XHTML-IM.
-
SamWhited
Theoretically the body is escaped though, so as long as you're not unescaping it you should be good (though it never hurts to double check).
-
SamWhited
I'm sure your could find a way to exploit it if you're sticking anything straight into the DOM
-
Link Mauve
No, there is no escaping in the strings you get from your XMPP library.
-
Link Mauve
It’s always the application role to escape things as they see fit.
-
Kevish
Right. The body's escaped on the wire, but what you get out of your XMPP lib isn't going to be.
-
Zash
unless it's a really bad lib made of regexes
-
Link Mauve
:D
-
Zash
Also depends on how you put stuff into the DOM
-
Link Mauve
innerHTML ALL the things. o/