This is why XHTML-IM needs to be replaced. I know technically it's secure, but it's too easy for people to screw it up.
xnyhpshas joined
Link Mauve
Web people manage to screw up without its help, you know.
SamWhited
Exactly, the situation is bad enough as is without us encouraging it :)
danielhas joined
Jefhas joined
Link Mauve
I think on the contrary, specifying a whitelist helps people get things right.
intosi has joined
SamWhited
Oh yah, the xep does it right, but no one actually reads standards.
danielhas left
danielhas joined
Link Mauve
Meh, Candy’s latest version seems actually pretty buggy.
SamWhited
(I'm only sort of being facetious now...)
intosihas left
daniel
but hey html in text message is a really good idea
Zash
So are you submitting a patch? ;)
Kevish
I'm not convinced that removing xhtml-im would improve anything.
Kevish
People who just want pretty text and don't care about how they do it are no better off without a spec telling them they're being silly, certainly, and for people who want pretty text and do care, it's helpful to give a 'right way' to do it.
Link Mauve
I fully agree with that.
danielhas joined
danielhas left
dwdhas left
danielhas joined
danielhas left
danielhas joined
dwdhas left
danielhas left
danielhas joined
danielhas left
danielhas joined
SamWhited
Nah, if we gave them basic-formatting-language-im I don't think they'd add script tags too it or inject out straight into the dom.
sezuanhas left
danielhas joined
Link Mauve
You seem to be overestimating them.
Zash
That's exactly what would happen
Link Mauve
innerHTML is easy to use, and there is nothing that could harm the user in this new language right!
danielhas left
danielhas joined
danielhas left
danielhas joined
dwdhas left
dwdhas left
SamWhited
Fair enough :(
SamWhited
Yah, it's true; no idea where that burst of optimism came from, but you're right of course.
danielhas joined
Kevish
Nor me, but it's obviously not healthy :)
danielhas left
danielhas joined
dwdhas left
dwdhas left
xnyhpshas joined
danielhas left
danielhas joined
danielhas joined
danielhas joined
bjchas left
dwdhas left
danielhas joined
dwdhas left
danielhas joined
danielhas left
danielhas joined
dwdhas left
xnyhpshas left
Flowhas left
danielhas left
danielhas joined
dwdhas left
SamWhitedhas left
dwdhas left
tim@boese-ban.dehas left
tim@boese-ban.dehas joined
dwdhas left
xnyhpshas left
Jefhas left
danielhas left
dwdhas left
dwdhas left
danielhas joined
edhelashas joined
dwdhas left
dwdhas left
dwdhas left
dwdhas left
Link Mauve
edhelas just reminded me that his client used to pass the body itself to the DOM. :p
Link Mauve
Without implementing XHTML-IM.
dwdhas left
SamWhited
Theoretically the body is escaped though, so as long as you're not unescaping it you should be good (though it never hurts to double check).
SamWhited
I'm sure your could find a way to exploit it if you're sticking anything straight into the DOM
dwdhas left
Link Mauve
No, there is no escaping in the strings you get from your XMPP library.
Link Mauve
It’s always the application role to escape things as they see fit.
danielhas joined
Kevish
Right. The body's escaped on the wire, but what you get out of your XMPP lib isn't going to be.