jdev - 2026-03-03

in xep-0421, it says: > Additionally, a MUC service SHOULD generate the identifier such that the occupant identifier of a user in one room of the service does not match the occupant identifier of the same user in another room of the same service. If the MUC service generates the same occupant identifier for the same user in different rooms, information shared using different nicknames and in different rooms could be combined through the occupant identifier and thereby unintentionally reveal information about the user. for one, what kinds of information leakage is the xep trying to prevent here? i'm finding it increasingly annoying that there's seemingly no way to tell whether two users in two semi-anon rooms are the same person or not secondly, assuming whatever leakage prevention is fair and valid, would it make sense to have a XEP defining an _opt-in_ identifier clients can send that hides the JID, but remains the same across MUCs? the main use-case i'm thinking about here is being able to hover over a user in a room and get your usual "mutual rooms" and "also known by" info you see in a lot of other platforms.

is there a standard way to do colored text in XMPP or in a XEP? ✏

> is there a standard way to do colored text in XMPP or in a XEP? i know there's a way to _generate_ a colour based on text, but i don't think you can send messages _with_ colours, if that's what you're asking ↺

yeah it's the latter

it's covered by xhtml-im, so you'd need a convenient way to edit that in an xhtml-im client

detente, https://xmpp.org/extensions/xep-0071.html

There used to be XHTML-IM, but that was ditched because it tended to end up being a security nightmare.

poezio for example still supports it, at least in a receiving direction (and uses it to render IRC colors from biboumi)

yeah that XEP is deprecated

i think something much more minimal could be defined

maybe if my beloved XEP-0394 (markup) gains wider support, an extension for colours could be defined :D

i don't think we need webpages in XMPP but we could use some basic formatting, the kind of stuff even IRC can do already

An extension to XEP-0394 would be my preference too

I think xhtml-im is fine tbh, if restricted to local content only the worst one can imagine is billion-laughs-style memory exhaustion attacks, which you shouldn't be building an xmpp client around a bad xml library anyway

eh, i don't think it's necessary to implement so much

if i understand 0394 correctly, something as simple as the following should work: ``` <message> <body>THIS has colour !!</body> <markup xmlns='urn:xmpp:markup:0'> <color xmlns='urn:xmpp:color:0' begin='0' end='4' color='#FFFFFF' /> </message> ```

snit: hmm, 394 already specifies that, and we just need clients with convenient editors?

it defines the markup format but not the color element

so you'd want to either make a new XEP for colours, or add it to 0394. 0394 itself seems to explicitly encourage extension to new markup in separate specifications as well

and then yeah all you'd need is client-side editor support

> in xep-0421, it says: > > Additionally, a MUC service SHOULD generate the identifier such that the occupant identifier of a user in one room of the service does not match the occupant identifier of the same user in another room of the same service. If the MUC service generates the same occupant identifier for the same user in different rooms, information shared using different nicknames and in different rooms could be combined through the occupant identifier and thereby unintentionally reveal information about the user. > for one, what kinds of information leakage is the xep trying to prevent here? i'm finding it increasingly annoying that there's seemingly no way to tell whether two users in two semi-anon rooms are the same person or not > secondly, assuming whatever leakage prevention is fair and valid, would it make sense to have a XEP defining an _opt-in_ identifier clients can send that hides the JID, but remains the same across MUCs? the main use-case i'm thinking about here is being able to hover over a user in a room and get your usual "mutual rooms" and "also known by" info you see in a lot of other platforms. also not to be annoying but would i be able to get some feedback on this ↺

Anonymity in semi-/anon MUCs is expected, so linking identities by default is a definite no; opt-in might be possible, but how many people would choose to do that?

hard to say; the only answer i've ever seen about why semi-anon exists is to hide JIDs to prevent dm/invite spam and such, so it doesn't seem like most people expect joining two different rooms on the same account without being known as the same person to be a use-case. i'd certainly opt-in, and i brought this up because its come up a few times in another muc i'm in, so i reckon its something a number of people would want ✏

should xhtml-im be un-deprecated?

snit, I think there's a good argument that occupant-ids should be stable in rooms within the same Space.

have we gotten better at sandboxed xhtml handling? Have all these email and webmail apps pushed the state-of-the-art forward?

sandbox escapes exist

dwd, `spaces-id` - just one more id, bro, then we've fixed it, bro!

plus i don't know if everyone wants to make such a heavy client

jackhill, Sandboxing isn't much of a problem, but it gets nastier in messaging because you often want to, for example, cut and paste entire conversations (or at least multiple messages) and that's very hard to achieve with sandboxed individual messages.

theTedd, All problems in computer science can be fixed with another level of indirection?

`id-id` that links all other ids together!

> dwd, `spaces-id` - just one more id, bro, then we've fixed it, bro! we need separate ids each that are: stable in one room, stable in one space's rooms, stable in all rooms, stable globally !! ↺

theTedd, I feel a XEP coming on for publication just after the end of the month.

> should xhtml-im be un-deprecated? yes ↺

> should xhtml-im be un-deprecated? Can devs be trusted not just to throw whatever they receive at a generic HTML renderer? This is the reason it was deprecated. ↺

Not just that reason, even.

Beyond that, both the markup and markdown XEPs were built to ensure that whether you looked at the rich or plain version of a message, you'd see the same message, which avoids various attacks (of the phishing kind of nature).

And then there was the UX of the safe ways of handling this in a webapp.

>> should xhtml-im be un-deprecated? > Can devs be trusted not just to throw whatever they receive at a generic HTML renderer? This is the reason it was deprecated. anyone putting unsanitized html into a web browser context is going to have other problems ↺

singpolyma, They did...

Sure, but if the spec is large and complex enough, it basically encourages doing that over implementing it yourself

we still have people doig this today, putting the current styling content into a markdown parser (which doesn't even work...) and then the raw output into a browser. some people are just determined to break every best practise

It's less intentional and more laziness

> Sure, but if the spec is large and complex enough, it basically encourages doing that over implementing it yourself well, you should definitely use off the shelf HTML stuff ↺

but need to either sanitize (using an off the shelf sanitizer) or use a real renderer and not a browser or web view

I agree the attempt in xhtml-im to define a "subset" of html was a bit silly

It's a profile of XHTML (obviously!) but that was the guidance from the W3C I think, back in the day.

singpolyma, it help(s|ed) to be able to render in more minimal contexts though

i don't think it's great to have the only option for colors and basic formatting be something that implies having a HTML renderer

jonas’: you mean being able to assume no one is using anything you aren't aware of? Except then in practise you'll need to check for other things anyway

detente: basically every UI framework has an HTML renderer built in anyway

that's why every protocol uses it

though it's pretty trivial to build your own, I've done it a few times

a huge mistake in my opinion

why?

singpolyma, oh, yeah, not for security purposes, clearly.

but for interop purposes.

having suggestions of stuff that is likely to be common I guess would be ok

complexity, practically requiring sandboxing these days, increased system resource use, and generally unnecessary levels of formatting

but I'd never want to rule out allowing other stuff

no sandboxing is required. there's no executable code

it's fundamentally the same as message styling just a different syntax

ironically it is "hardest" to do right in a web client

but most web frameworks are also used to this problem

ideally if it remains just HTML only with no additions like HTML5 that essentially imply JS... but then you can use any markup language you want at that point

HTML5 is just HTML, there's no javascript :)

neither CSS nor JavaScript is necessarily involved. certainly JavaScript must not be supported that would be bonkers

some tags essentially imply it but ok

wait, you mean i can't send arbitrary code and expect them to run it?? smh

Sandboxing wouldn't be required, except when devs blindly throw content at a browser window, and then they're executing any JS you send them. Yes they _should_ sanitise, as they _should_ do many other things, but experience shows that they do not.

indeed. and those who do not the deprecation does not help, as they also put the raw text in unescaped, or run in through a markdown parser without sanitizing, and many other problems

snit: for that there's WebXDC 😜

So offering people a box full of footguns maybe isn't the best way to go about it

> snit: for that there's WebXDC 😜 indeed. WebXDC is a very different beast and these objections very much do apply to it ↺

but departing from the standard format for text formatting which everything else uses just because some people hold it wrong... seems extreme to me

you'd have to define what "HTML" is as well, as theres the Living Standard HTML of today, HTML4.01, HTML5, the earlier versions of HTML, etc...