Link MauveSigh… https://github.com/candy-chat/candy/issues/445
danielhas left
danielhas joined
SamWhitedThis is why XHTML-IM needs to be replaced. I know technically it's secure, but it's too easy for people to screw it up.
xnyhpshas joined
Link MauveWeb people manage to screw up without its help, you know.
SamWhitedExactly, the situation is bad enough as is without us encouraging it :)
danielhas joined
Jefhas joined
Link MauveI think on the contrary, specifying a whitelist helps people get things right.
intosi has joined
SamWhitedOh yah, the xep does it right, but no one actually reads standards.
danielhas left
danielhas joined
Link MauveMeh, Candy’s latest version seems actually pretty buggy.
SamWhited(I'm only sort of being facetious now...)
intosihas left
danielbut hey html in text message is a really good idea
ZashSo are you submitting a patch? ;)
KevishI'm not convinced that removing xhtml-im would improve anything.
KevishPeople who just want pretty text and don't care about how they do it are no better off without a spec telling them they're being silly, certainly, and for people who want pretty text and do care, it's helpful to give a 'right way' to do it.
Link MauveI fully agree with that.
danielhas joined
danielhas left
dwdhas left
danielhas joined
danielhas left
danielhas joined
dwdhas left
danielhas left
danielhas joined
danielhas left
danielhas joined
SamWhitedNah, if we gave them basic-formatting-language-im I don't think they'd add script tags too it or inject out straight into the dom.
sezuanhas left
danielhas joined
Link MauveYou seem to be overestimating them.
ZashThat's exactly what would happen
Link MauveinnerHTML is easy to use, and there is nothing that could harm the user in this new language right!
danielhas left
danielhas joined
danielhas left
danielhas joined
dwdhas left
dwdhas left
SamWhitedFair enough :(
SamWhitedYah, it's true; no idea where that burst of optimism came from, but you're right of course.
danielhas joined
KevishNor me, but it's obviously not healthy :)
danielhas left
danielhas joined
dwdhas left
dwdhas left
xnyhpshas joined
danielhas left
danielhas joined
danielhas joined
danielhas joined
bjchas left
dwdhas left
danielhas joined
dwdhas left
danielhas joined
danielhas left
danielhas joined
dwdhas left
xnyhpshas left
Flowhas left
danielhas left
danielhas joined
dwdhas left
SamWhitedhas left
dwdhas left
tim@boese-ban.dehas left
tim@boese-ban.dehas joined
dwdhas left
xnyhpshas left
Jefhas left
danielhas left
dwdhas left
dwdhas left
danielhas joined
edhelashas joined
dwdhas left
dwdhas left
dwdhas left
dwdhas left
Link Mauveedhelas just reminded me that his client used to pass the body itself to the DOM. :p
Link MauveWithout implementing XHTML-IM.
dwdhas left
SamWhitedTheoretically the body is escaped though, so as long as you're not unescaping it you should be good (though it never hurts to double check).
SamWhitedI'm sure your could find a way to exploit it if you're sticking anything straight into the DOM
dwdhas left
Link MauveNo, there is no escaping in the strings you get from your XMPP library.
Link MauveIt’s always the application role to escape things as they see fit.
danielhas joined
KevishRight. The body's escaped on the wire, but what you get out of your XMPP lib isn't going to be.
Zashunless it's a really bad lib made of regexes
Link Mauve:D
ZashAlso depends on how you put stuff into the DOM