-
pep.
When are we going to get out of the loop :(
-
moparisthebest
pep.: *Never* muhuhahaha
-
pep.
When are we going to get out of the loop :(
-
zinid
Just deprecate XML, it's insecure
-
MattJ
along with Javascript and SQL
-
zinid
that would be great
-
Zash
And x86
-
Zash
And neurons
-
jonasw
Link Mauve, my issue with colors is that they are not portable at all. your choice of colors may be badly readable on my background
-
jonasw
since people tend to forget that I had to block inbound colors on my desktop client.
-
jonasw
I’m not against a color support, but we need to define a way (Ge0rG suggested to support a palette of XEP-0392 colors which applications can then adapt according to XEP-0392 to their backgrounds) which allows to play nice with themes.
-
daniel
jonasw: just set a background color as well
-
jonasw
daniel, yes, that makes things *so* much better :P
-
daniel
Xhtml is perfect. People are just using it wrong
-
daniel
It's the people. Not the protocol
-
jonasw
Link Mauve, re JSON based protocol-break: I think it can be done in a way which makes arbitrary XHTML injection much harder to let happen than with XHTML-Im.
-
zinid
jonasw: so you think it's worth redoing everything just because the new format will possess less issues? Not everyone agrees with it, that's why this discussion is not going to stop
-
jonasw
zinid, *shrug*. I’d still be okay with the "provide an audited reference implementation for XHTML-IM solution", but I feel that won’t get past SamWhited. I’m trying to compromise here without losing what we can do today.
-
zinid
if SamWhited doesn't pass it that would mean nothing will ever happen
-
zinid
and we're back to the beginning
-
Ge0rG
Wow, that discussion.
-
Ge0rG
It seems to be so fundamental, maybe we should question the use of XML as well...
-
jonasw
Ge0rG, you love to pour oil into fires, don’t you?
-
Ge0rG
jonasw: okay, that was a bit harsh. Let's only question session binding and message routing.
-
jonasw
Ge0rG, that sounds good.
-
jonasw
didn’t we do that already?
-
Ge0rG
jonasw: or maybe we need a different approach to the 'database synchronization" thought: XMPP 2.0 is an HTML document that's slowly loading from the server as new messages arrive.
-
Ge0rG
That way we can implement dumb clients in Electron.
-
jonasw
Ge0rG, you’re describing Comet
-
Zash
jonasw: Pouring oil? More like feeding it an optimally mixed solution of pure oxygen and aerosolized oil
-
Ge0rG
Because the server is trustworthy by default, there is no need to cover XSS
-
jonasw
Zash, :)
-
Zash
Yes, trust in the server. We're all trustworthy people making them.
-
Ge0rG
Well, problem solved. Back to real work.
-
zinid
Ge0rG: or course we can question the use of XML, because it's shit
-
zinid
now we need to rewrite everything?
-
Zash
Yeah, starting over from scratch is so much fun!
-
pep.
Why dont we use http and json already
-
Ge0rG
Wait, there is a ready-made solution already. Matrix!
-
pep.
Ge0rG, I think we came to the same conclusion
-
zinid
pep.: because jabber was initially designed with flaws: there is no separation between encoding rules and data types, so we cannot simply change encoding rules
-
zinid
I'm talking about it since 2004
-
pep.
zinid: that was sarcastic
-
pep.
If it wasn't obvious enough :)
-
zinid
pep.: right, but that would be possible if xmpp wasn't designed the way it was
-
pep.
Sure, but who would do that :x
-
zinid
matrix has exactly the same problem btw, when json is no longer modern and fancy it will be abandoned
-
Zash
Obviously
-
Ge0rG
So we need to use an established standard that won't vanish. ASN.1!
-
Zash
YES
-
jonasw
AaaaaaaaAAAAAaaaaaAAAaaaaaaaa
-
jonasw
I always get attacks of pain when I read ASN.1, and I don’t even know why.
-
Ge0rG
So recently I started reading that old "Easy introduction into the subset of ASN.1 relevant for [application]", and I gave up after twenty pages.
-
jonasw
lol
-
Zash
jonasw: Spend some time with it. It should turn into a mild itch eventually.
-
Zash
I hope you all read x509guide.txt
-
Steve Kille
ASN.1 is wonderful. MUCH easier to write specs in than XML and compact on the wire
-
Zash
Steve Kille: Which encoding rules? ;)
-
zinid
Steve Kille: the learning curve is too high, that's why they are crying :)
-
jonasw
Steve Kille, reminds me, I (with my editor hat on) would like to fix some XML issues in the MIX XEP at some point. Let me know when that’d work for you so that we don’t produce conflicts.
-
zinid
Zash: why encoding rules would boher an application programmer? You don't need to deal with them directly
-
Steve Kille
jonasw: now would be an excellent time for you to do this. I do not have MIX XEP checked out.
-
jonasw
Steve Kille, mhm, right, now won’t work for me though :-). I’ll ask you again when I’m ready (I expected a reply along the lines of "I have some update prepared which I’ll push at some point")
-
Ge0rG
jonasw: you could ask for a time window as well ;)
-
Steve Kille
There are various changes I want to make, but they all need discussion with my co-author
-
jonasw
Ge0rG, indeed; I’m away for a week now though
-
jonasw
so this was probably not the smartest time for me to ask :)
-
Ge0rG
jonasw: you could ask something like "is it okay if I do it in a week" :P
-
jonasw
Ge0rG, in two weeks rather
-
Steve Kille
I have one editorial task, which you are welcome to take on (but I can also do easily) which is to ensure that ALL of the examples use .example (following IETF guidelines)
-
Steve Kille
I got editorial changes forced for:
-
Steve Kille
https://datatracker.ietf.org/doc/draft-kille-ldap-xmpp-schema/
-
Steve Kille
jonasw: ping me on MIX editing. I am not expecting to make changes over the next few weeks
-
jonasw
Steve Kille, okay thanks
-
pep.
(What is a white page service?)
-
Ge0rG
pep.: a public phone book?
-
pep.
Ohh
-
pep.
That
-
Ge0rG
I think there is one very important twist missing from the current XHTML-IM vs. markdown vs. body-hints debate: We also need an explicit encoding for Emoji in ASCII form. Some clients will parse `(c)` as a mug of coffee, others as ©. We should standardize how Emoji are to be transmitted and translated.
-
Kev
As unicode. Job done.
-
dwd
Ge0rG, A good point to raise, and also Kev's right.
-
Kev
I suggest <no-emoticons xmlns='...'/> as a child element of the message.
-
edhelas
in Unicode � trust
-
Kev
So that recipients know that the sending client doesn't use text emoticons, only unicode emoji.
-
Ge0rG
Kev: in theory, you are right. In practice, it is impossible for a client implementation to figure out which subset of Unicode is supported by its platform.
-
Kev
That's ok, in a sense. Clients can e.g. swap out unicode emoji for images locally.
-
Ge0rG
Kev: we could of course define entity caps for a client to show which subset it supports.
-
Kev
I think (much as I hate it) that that's what Swift's going to have to do on Linux, at least, and probably Windows.
-
Ge0rG
I'm also a proponent of emoji hugification in IM. Because you can't read them at 8x16 pixels.
-
Ge0rG
TIL about emoji CLDR short names: "The CLDR short name for the character or sequence. Short names vary by language, and are from the CLDR data."
-
Ge0rG
😄 = :glimlaggende_gesig_met_oop_mond_en_glimlaggende_oë:
-
Kev
Or "Bob", to his friends.
-
Ge0rG
(I really like the Slack notation used for Emoji, where you use `:short_name:`)
-
edhelas
until you start to use things like jabber:x:data namespace in your message
-
jonasw
aaand we’re back to the plain text markup story
-
edhelas
personnaly, I think that this discussion is pointless
-
jonasw
edhelas, note though that emoji names are (a) always surrounded by whitespace and (b) not to be used in transport, only in display when no emoji capability is there by the rendering engine
-
Kev
Ge0rG: That's great, but that's a client-side thing, no reason for us not to then transmit as unicode.
-
Zash
Are we going in circles or some kind of 5-dimentional figure 8?
-
dwd
jonasw, What? No, :stuff: is a client-side thing, surely?
-
jonasw
dwd, I sure hope though!✎ -
edhelas
if we have XHTML-IM security issues, we open tickets in the bugtrackers of the buggy clients, and that's it, end of story
-
jonasw
dwd, I sure hope so! ✏
-
Ge0rG
Actually, Kev is right. Unicode should be the default transport format for Emoji. However, it would be great to have input conversion from ":)" to "😀" etc.
-
Kev
I agree wholeheartedly with that.
-
jonasw
:)
-
jonasw
it’s also lovely how this discussion messes with poezio
-
Zash
Client UX/UI issue?
-
edhelas
remember the Carbons security issue ? did we removed Carbons ? no
-
Ge0rG
Kev: that also means that clients without Emoji support need to keep a mapping table of all Emoji symbols to some other representation, like ASCII
-
jonasw
edhelas, one could argue that the vulnerability produced by XSS in XHTML-IM-Web-Clients is worse
-
Kev
Ge0rG: ugly, but sadly true.
-
jonasw
(up to stealing your password)
-
edhelas
we just added a small paragraph, released a security message, fixed all the buggy clients, and that was it
-
Kev
I'm actually tempted to write a XEP, given otherwise I'm busy setting up an AD this morning.
-
jonasw
Kev, oh the pain.
-
edhelas
jonasw define "worse"
-
Ge0rG
Kev: or we use client caps to indicate emoji support, and then the server can automagically translate unicode into :ascii: in outgoing messages!
-
jonasw
setting up LDAP is fun already, I don’t want to know how AD is like
-
dwd
Kev, You need some solid displacement activity.
-
jonasw
edhelas, stealing your password is arguably worse than being able to impersonate peers.
-
Ge0rG
Kev: write an XEP for what?
-
Kev
<no-emoticons xmlns='...'/>
-
edhelas
it's the responsibility of clients and servers devloppers to sanitize properly their I/O
-
jonasw
edhelas, yes, but do we need to make it hard for them?
-
Ge0rG
Kev: how would you handle ":)" with such an XEP marker?
-
Kev
Ge0rG: By rendering ":)"
-
edhelas
it's not "hard" to sanitize, most of those clients didn't even had any kind of security layer
-
Ge0rG
Kev: but that's not what people expect.
-
jonasw
Ge0rG, on the UI input or when received over the network?
-
jonasw
edhelas, source?
-
Ge0rG
jonasw: in both situations, because backward compatibility!11!
-
jonasw
I personally find @style hard to sanitize. You can’t do that with regexes alone.
-
Kev
Ge0rG: It's the sending client saying to the recipient "I have already done emoji conversion locally, so if there's something that looks like an ASCII emoticon in here, just render it as-is, because it's what the sender intended".
-
jonasw
(I’m pretty sure that the subset of CSS allowed by @style is not regular)
-
edhelas
jonasw if you code a client and simply do .innerHTML = message.body, well you should serously go take some Web dev courses again
-
Ge0rG
Kev: that makes sense to me.
-
jonasw
edhelas, and what if I don’t, but @style contains a background-image with a URL which makes the browser execute javascript?
-
jonasw
it’s a thing.
-
edhelas
seriously you want to reinvent your own markup ?
-
jonasw
edhelas, actually, I’m replaying the arguments of others here.
-
edhelas
looks like some JS hipster project
-
jonasw
my primary goal in this situation is to retain the capability for well-defined rich markup. If that’s by inventing our own rich markup or by providing a solid reference sanitizer for XHTML-IM, I don’t care.
-
dwd
edhelas, Most (decent) frameworks make that hard, but possible. The problem is that none of them make santizing HTML easy. The correct colution for embedding unknown-origin HTML is to enclose it in an iframe, but the problem there si that UX takes a hit.
-
Ge0rG
dwd: is copy&paste of message histories the only UX problem with iframes?
-
jonasw
Ge0rG, scrolling, sizing the iframe, …
-
jonasw
(but copy&paste is the worst, I think)
-
jonasw
and also iframes make me furious, I have to be able to select all the text!
-
Ge0rG
scrolling. ewwww.
-
jonasw
(I don’t think that you can tell an iframe to behave like a <div/> regarding layout, so that’s a whole can of worms there)
-
jonasw
(but maybe it’s possible I haven’t checked)
-
edhelas
personnally I just find XHTML-IM not great for users in general
-
jonasw
edhelas, why?
-
edhelas
and as I said, you'll have the exact same problem when users will use Atom in Pubsub
-
jonasw
for atom in pubsub, using an iframe is probably more realitsic
-
edhelas
I have to deeply sanitize Atom content to ensure that I don't have JS/CSS/iframe injections in it
-
jonasw
Ge0rG, and I’m not sure you can access the dom of an iframe from the outside
-
edhelas
no, hell no
-
edhelas
just sanitize things, you have nice libs for that
-
jonasw
edhelas, where are those nice libs, and why doesn’t the XHTML-IM XEP mention them?
-
edhelas
https://github.com/ezyang/htmlpurifier for PHP
-
jonasw
for JS that is
-
jonasw
because we’re talking about actual web clients
-
jonasw
things running in HTML+JS
-
edhelas
https://github.com/movim/movim/blob/e30f6f59cdb10ab697629a455d7cbfb8ff316773/src/Movim/Daemon/Api.php#L101
-
edhelas
jonasw https://code.google.com/archive/p/google-caja/wikis/JsHtmlSanitizer.wiki ?
-
jonasw
There was an error obtaining wiki data: {"data":{"text":null},"status":-1,"config":{"method":"GET","transformRequest":[null],"jsonpCallbackParam":"callback","url":"https://www.googleapis.com/storage/v1/b/google-code-archive/o/v2%2Fcode.google.com%2Fgoogle-caja%2Fwiki%2FJsHtmlSanitizer.wiki?alt=media","headers":{"Accept":"application/json, text/plain, */*"}},"statusText":""}
-
jonasw
edhelas, did you just google that or is that a library with a good security track record?
-
edhelas
just googling around
-
jonasw
yeah, that’s not how this will work
-
Ge0rG
Wow. a11n for Emoji is a black art on its own: http://unicode.org/repos/cldr/trunk/specs/ldml/tr35-general.html#SynthesizingNames
-
edhelas
but as I said, more than XHTML, I prefer to strip more of the tags and style, because I don't want my client discussion UI to look ugly
-
jonasw
Ge0rG, a11y for unicode is a black art on its own
-
jonasw
edhelas, we agree on burning @style with fire, right?
-
edhelas
I just agree to stop trying to fix a problem by bringing another one
-
edhelas
we have XHTML-IM, just bring good practice and fix those clients
-
jonasw
convince council :-)
-
jonasw
deep inside I’m still thinking that XHTML-IM can be "fixed" to the extent that developers are well-aware that it is tricky to get right and they’re also given the tools to do it right.
-
Ge0rG
web developers don't give a shit. They wouldn't be web developers otherwise.
-
jonasw
that’s a bit harsh
-
dwd
Ge0rG, I don't think that's true. I'm on a call with one now.
-
edhelas
Ge0rG thanks, much appreciated <3
-
jonasw
Ge0rG, I think there are web developers out there who actually want to make a good thing and who actually care. It’s not the majority though.
-
jonasw
(from what I feel when using web applications)
-
Ge0rG
edhelas: sorry. That was not intended to insult you. You are doing great work, actually.
-
Ge0rG
Oh my. They even distinguish AE and BE in the CLDR annotations: "😋" = "face savoring food" = "face savouring food"
-
jonasw
excellent
-
Ge0rG
"🥖" = "baguette bread" = "French stick" = "baguette" in English, depending on your locale.
-
jonasw
en_GB everywhere!
-
Ge0rG
An i18n a11y nightmare in five Emojis!
-
Ge0rG
(not that you could conclusively count the number of Emojis in a given UTF8 string)
-
jonasw
lovely
-
jonasw
why can’t we have nice things :(
-
Ge0rG
jonasw: because 🤦🏿🤖💩🤰
-
jonasw
what
-
Ge0rG
I wonder if "🤰♂" will be translated into "Arnold Schwarzenegger"
-
dwd
I might have persuaded our FE dev to wade in on the XHTML issue.
-
jonasw
dwd, in which way "wade in"?
-
dwd
jonasw, State his opinion. Given that he's a web/js developer first and foremost, it might be a useful perspective.
-
jonasw
mhm
-
zinid
edhelas also a web dev ;)
-
edhelas
damn, you unveiled me
-
jonasw
cue dramatic fanfare
-
edhelas
my evil plan of deploying broken XHTML-IM everywhere is falling appart
-
Ge0rG
world domination through XMPP XSS
-
dwd
zinid, It is possible there is more than just one web dev indeed.
-
zinid
dwd: so we need moar opinions? we don't get enough yet? :)
-
dwd
zinid, We don't need opinions, so much as a consensus.
-
Link Mauve
“10:17:01 jonasw> I personally find @style hard to sanitize. You can’t do that with regexes alone.”, indeed, you first have to split on “;” and then to split each value on “:” and then to pick only the elements you want to support from the left part. I would assume there is no language in which this is any difficult, though.
-
Link Mauve
background-image is explicitly not allowed by XHTML-IM, you wouldn’t allow it.
-
Ge0rG
Link Mauve: couldn't you still inject function calls into the right part?
-
Link Mauve
Ge0rG, none of the allowed properties support any URI or function call, I checked that the other day.
-
Ge0rG
Link Mauve: does that guarantee that browsers won't execute function calls / URIs when encountered there?
-
Link Mauve
I’ve found that browsers take security issue seriously, if the specification doesn’t allow such things and a bug is found in a browser, I’d expect it to be fixed very quickly.
-
Ge0rG
XHTML-IM it is, then!
-
Zash
https://www.zash.se/xep-0071-4177863-security.html
-
Ge0rG
Zash: it looks like the only item on the https://xmpp.org/extensions/xep-0038.html#sect-idm139548995353376 list that can't be mapped to Unicode is :jabber:. What an irony.
-
Kev
💡 doesn't quite cut it, does it?
-
Zash
Throw in some zwj stuff and call it a day
-
Ge0rG
💡 + Variant Selector 16.
-
Ge0rG
So I've written a poezio plugin that replaces all incoming Emojis with their respective :alias:. And now I see how ugly it looks and that I still need to look on my phone to see if it was an Emoji originally.
-
moparisthebest
but markup in <body> is bad, someone said
-
Zash
Unicode isn't markup
-
Ge0rG
moparisthebest: yes, and what I wrote underscores that point
-
moparisthebest
Ge0rG: I still need to look on my phone to see if it was an Emoji originally
-
moparisthebest
my question is, why do you care
-
Zash
@nickname is markup, right?
-
Link Mauve
Yeah.
-
moparisthebest
yep that's bad too, need a fancy UI and protocol established for highlighting someone
-
Link Mauve
moparisthebest, mentions already got a XEP.
-
SamWhited
Did it?
-
SamWhited
Link please!
-
Ge0rG
moparisthebest: I don't know why I care, but it turned out I do
-
Link Mauve
I don’t think it was this one I was thinking about: https://xmpp.org/extensions/inbox/jid-mention.html
-
Link Mauve
Maybe references?
-
Zash
Heh, Link
-
Link Mauve
Yes? :p
-
moparisthebest
Ge0rG, sounds like a personal problem vs a protocol problem :)
-
SamWhited
*snort* I didn't mean to do that.
-
SamWhited
I'd forgotten about this one, thanks
-
Zash
Can {xep attention} be directed at a MUC participant?
-
Bunneh
Zash: XEP-0224: Attention (Standards Track, Draft, 2008-11-13) See: https://xmpp.org/extensions/xep-0224.html
-
moparisthebest
jid-mention looks like a great way to spam more, that looks like about all it's useful for
-
Link Mauve
Zash, sadly no.
-
goffi
Link Mauve: jid-mention has been vetoed in favor of reference
-
Link Mauve
Ok.
-
SamWhited
Just got kicked from mucs on this server when I joined in another client. No idea why.
-
Link Mauve
SamWhited, a lot of people just left with “Kicked: remote server not found: Server-to-server connection failed: DNS resolution failed” as their status.
-
Link Mauve
The same second as yours.
-
SamWhited
ah, maybe my joining from another client was a red herring
-
dwd
In terms of "marking up" a mention, XEP-0372 is the best thinking we have currently.
-
SamWhited
References seems nice, but I wish the bit that reads "TODO: define character appropriately" were expanded. I don't think it could be implemented as-is in an interoperable manner without that bit being expanded.