Link Mauve, my issue with colors is that they are not portable at all. your choice of colors may be badly readable on my background
jonasw
since people tend to forget that I had to block inbound colors on my desktop client.
jonasw
I’m not against a color support, but we need to define a way (Ge0rG suggested to support a palette of XEP-0392 colors which applications can then adapt according to XEP-0392 to their backgrounds) which allows to play nice with themes.
daniel
jonasw: just set a background color as well
jonasw
daniel, yes, that makes things *so* much better :P
daniel
Xhtml is perfect. People are just using it wrong
daniel
It's the people. Not the protocol
jonasw
Link Mauve, re JSON based protocol-break: I think it can be done in a way which makes arbitrary XHTML injection much harder to let happen than with XHTML-Im.
jubalhhas joined
zinid
jonasw: so you think it's worth redoing everything just because the new format will possess less issues? Not everyone agrees with it, that's why this discussion is not going to stop
jonasw
zinid, *shrug*. I’d still be okay with the "provide an audited reference implementation for XHTML-IM solution", but I feel that won’t get past SamWhited. I’m trying to compromise here without losing what we can do today.
zinid
if SamWhited doesn't pass it that would mean nothing will ever happen
zinid
and we're back to the beginning
dwdhas left
dwdhas left
dwdhas left
dwdhas left
dwdhas left
dwdhas left
dwdhas left
dwdhas left
dwdhas left
dwdhas left
dwdhas left
dwdhas left
ralphmhas left
dwdhas left
dwdhas left
zinidhas left
Guushas left
Guushas joined
emxphas joined
stefandxmhas joined
Ge0rG
Wow, that discussion.
Ge0rG
It seems to be so fundamental, maybe we should question the use of XML as well...
jonasw
Ge0rG, you love to pour oil into fires, don’t you?
Ge0rG
jonasw: okay, that was a bit harsh. Let's only question session binding and message routing.
jonasw
Ge0rG, that sounds good.
jonasw
didn’t we do that already?
Ge0rG
jonasw: or maybe we need a different approach to the 'database synchronization" thought: XMPP 2.0 is an HTML document that's slowly loading from the server as new messages arrive.
Ge0rG
That way we can implement dumb clients in Electron.
jonasw
Ge0rG, you’re describing Comet
Zash
jonasw: Pouring oil? More like feeding it an optimally mixed solution of pure oxygen and aerosolized oil
Ge0rG
Because the server is trustworthy by default, there is no need to cover XSS
jonasw
Zash, :)
Zash
Yes, trust in the server. We're all trustworthy people making them.
zinidhas left
sonnyhas left
sonnyhas joined
dwdhas left
stefandxmhas left
zinidhas left
zinidhas left
sonnyhas left
sonnyhas joined
dwdhas left
Ge0rG
Well, problem solved. Back to real work.
sonnyhas left
sonnyhas joined
sonnyhas left
sonnyhas joined
sonnyhas joined
sonnyhas joined
dwdhas left
dwdhas left
sonnyhas left
sonnyhas joined
Steve Killehas left
Steve Killehas left
zinid
Ge0rG: or course we can question the use of XML, because it's shit
zinid
now we need to rewrite everything?
Steve Killehas joined
Zash
Yeah, starting over from scratch is so much fun!
pep.
Why dont we use http and json already
Ge0rG
Wait, there is a ready-made solution already. Matrix!
pep.
Ge0rG, I think we came to the same conclusion
zinid
pep.: because jabber was initially designed with flaws: there is no separation between encoding rules and data types, so we cannot simply change encoding rules
zinid
I'm talking about it since 2004
pep.
zinid: that was sarcastic
sonnyhas joined
pep.
If it wasn't obvious enough :)
zinid
pep.: right, but that would be possible if xmpp wasn't designed the way it was
pep.
Sure, but who would do that :x
zinid
matrix has exactly the same problem btw, when json is no longer modern and fancy it will be abandoned
Zash
Obviously
Ge0rG
So we need to use an established standard that won't vanish. ASN.1!
Zash
YES
jonasw
AaaaaaaaAAAAAaaaaaAAAaaaaaaaa
jonasw
I always get attacks of pain when I read ASN.1, and I don’t even know why.
Ge0rG
So recently I started reading that old "Easy introduction into the subset of ASN.1 relevant for [application]", and I gave up after twenty pages.
jonasw
lol
Zash
jonasw: Spend some time with it. It should turn into a mild itch eventually.
Zash
I hope you all read x509guide.txt
Steve Kille
ASN.1 is wonderful. MUCH easier to write specs in than XML and compact on the wire
Zash
Steve Kille: Which encoding rules? ;)
zinid
Steve Kille: the learning curve is too high, that's why they are crying :)
jonasw
Steve Kille, reminds me, I (with my editor hat on) would like to fix some XML issues in the MIX XEP at some point. Let me know when that’d work for you so that we don’t produce conflicts.
zinid
Zash: why encoding rules would boher an application programmer? You don't need to deal with them directly
Steve Kille
jonasw: now would be an excellent time for you to do this. I do not have MIX XEP checked out.
jonasw
Steve Kille, mhm, right, now won’t work for me though :-). I’ll ask you again when I’m ready (I expected a reply along the lines of "I have some update prepared which I’ll push at some point")
Ge0rG
jonasw: you could ask for a time window as well ;)
Steve Kille
There are various changes I want to make, but they all need discussion with my co-author
jonasw
Ge0rG, indeed; I’m away for a week now though
jonasw
so this was probably not the smartest time for me to ask :)
Ge0rG
jonasw: you could ask something like "is it okay if I do it in a week" :P
jonasw
Ge0rG, in two weeks rather
Steve Kille
I have one editorial task, which you are welcome to take on (but I can also do easily) which is to ensure that ALL of the examples use .example (following IETF guidelines)
Ge0rG, A good point to raise, and also Kev's right.
Kev
I suggest <no-emoticons xmlns='...'/> as a child element of the message.
edhelas
in Unicode � trust
Kev
So that recipients know that the sending client doesn't use text emoticons, only unicode emoji.
sonnyhas joined
Ge0rG
Kev: in theory, you are right. In practice, it is impossible for a client implementation to figure out which subset of Unicode is supported by its platform.
Alexhas left
Kev
That's ok, in a sense. Clients can e.g. swap out unicode emoji for images locally.
Ge0rG
Kev: we could of course define entity caps for a client to show which subset it supports.
Kev
I think (much as I hate it) that that's what Swift's going to have to do on Linux, at least, and probably Windows.
Ge0rG
I'm also a proponent of emoji hugification in IM. Because you can't read them at 8x16 pixels.
Ge0rG
TIL about emoji CLDR short names: "The CLDR short name for the character or sequence. Short names vary by language, and are from the CLDR data."
(I really like the Slack notation used for Emoji, where you use `:short_name:`)
edhelas
until you start to use things like jabber:x:data namespace in your message
Alexhas joined
jonasw
aaand we’re back to the plain text markup story
edhelas
personnaly, I think that this discussion is pointless
jonasw
edhelas, note though that emoji names are (a) always surrounded by whitespace and (b) not to be used in transport, only in display when no emoji capability is there by the rendering engine
Kev
Ge0rG: That's great, but that's a client-side thing, no reason for us not to then transmit as unicode.
Zash
Are we going in circles or some kind of 5-dimentional figure 8?
dwd
jonasw, What? No, :stuff: is a client-side thing, surely?
Actually, Kev is right. Unicode should be the default transport format for Emoji. However, it would be great to have input conversion from ":)" to "😀" etc.
Kev
I agree wholeheartedly with that.
jonasw
:)
jonasw
it’s also lovely how this discussion messes with poezio
Zash
Client UX/UI issue?
edhelas
remember the Carbons security issue ? did we removed Carbons ? no
Ge0rG
Kev: that also means that clients without Emoji support need to keep a mapping table of all Emoji symbols to some other representation, like ASCII
jonasw
edhelas, one could argue that the vulnerability produced by XSS in XHTML-IM-Web-Clients is worse
Kev
Ge0rG: ugly, but sadly true.
jonasw
(up to stealing your password)
edhelas
we just added a small paragraph, released a security message, fixed all the buggy clients, and that was it
Kev
I'm actually tempted to write a XEP, given otherwise I'm busy setting up an AD this morning.
jonasw
Kev, oh the pain.
edhelas
jonasw define "worse"
Ge0rG
Kev: or we use client caps to indicate emoji support, and then the server can automagically translate unicode into :ascii: in outgoing messages!
jonasw
setting up LDAP is fun already, I don’t want to know how AD is like
dwd
Kev, You need some solid displacement activity.
jonasw
edhelas, stealing your password is arguably worse than being able to impersonate peers.
Ge0rG
Kev: write an XEP for what?
Kev
<no-emoticons xmlns='...'/>
edhelas
it's the responsibility of clients and servers devloppers to sanitize properly their I/O
jonasw
edhelas, yes, but do we need to make it hard for them?
Ge0rG
Kev: how would you handle ":)" with such an XEP marker?
Kev
Ge0rG: By rendering ":)"
edhelas
it's not "hard" to sanitize, most of those clients didn't even had any kind of security layer
Ge0rG
Kev: but that's not what people expect.
jonasw
Ge0rG, on the UI input or when received over the network?
jonasw
edhelas, source?
Ge0rG
jonasw: in both situations, because backward compatibility!11!
jonasw
I personally find @style hard to sanitize. You can’t do that with regexes alone.
Kev
Ge0rG: It's the sending client saying to the recipient "I have already done emoji conversion locally, so if there's something that looks like an ASCII emoticon in here, just render it as-is, because it's what the sender intended".
jonasw
(I’m pretty sure that the subset of CSS allowed by @style is not regular)
edhelas
jonasw if you code a client and simply do .innerHTML = message.body, well you should serously go take some Web dev courses again
Ge0rG
Kev: that makes sense to me.
jonasw
edhelas, and what if I don’t, but @style contains a background-image with a URL which makes the browser execute javascript?
jonasw
it’s a thing.
edhelas
seriously you want to reinvent your own markup ?
jonasw
edhelas, actually, I’m replaying the arguments of others here.
edhelas
looks like some JS hipster project
jonasw
my primary goal in this situation is to retain the capability for well-defined rich markup. If that’s by inventing our own rich markup or by providing a solid reference sanitizer for XHTML-IM, I don’t care.
dwd
edhelas, Most (decent) frameworks make that hard, but possible. The problem is that none of them make santizing HTML easy. The correct colution for embedding unknown-origin HTML is to enclose it in an iframe, but the problem there si that UX takes a hit.
Ge0rG
dwd: is copy&paste of message histories the only UX problem with iframes?
jonasw
Ge0rG, scrolling, sizing the iframe, …
jonasw
(but copy&paste is the worst, I think)
jonasw
and also iframes make me furious, I have to be able to select all the text!
Ge0rG
scrolling. ewwww.
jonasw
(I don’t think that you can tell an iframe to behave like a <div/> regarding layout, so that’s a whole can of worms there)
jonasw
(but maybe it’s possible I haven’t checked)
edhelas
personnally I just find XHTML-IM not great for users in general
jonasw
edhelas, why?
edhelas
and as I said, you'll have the exact same problem when users will use Atom in Pubsub
sonnyhas joined
jonasw
for atom in pubsub, using an iframe is probably more realitsic
edhelas
I have to deeply sanitize Atom content to ensure that I don't have JS/CSS/iframe injections in it
jonasw
Ge0rG, and I’m not sure you can access the dom of an iframe from the outside
edhelas
no, hell no
edhelas
just sanitize things, you have nice libs for that
jonasw
edhelas, where are those nice libs, and why doesn’t the XHTML-IM XEP mention them?
There was an error obtaining wiki data:
{"data":{"text":null},"status":-1,"config":{"method":"GET","transformRequest":[null],"jsonpCallbackParam":"callback","url":"https://www.googleapis.com/storage/v1/b/google-code-archive/o/v2%2Fcode.google.com%2Fgoogle-caja%2Fwiki%2FJsHtmlSanitizer.wiki?alt=media","headers":{"Accept":"application/json, text/plain, */*"}},"statusText":""}
jonasw
edhelas, did you just google that or is that a library with a good security track record?
edhelas
just googling around
jonasw
yeah, that’s not how this will work
lskdjfhas joined
Ge0rG
Wow. a11n for Emoji is a black art on its own: http://unicode.org/repos/cldr/trunk/specs/ldml/tr35-general.html#SynthesizingNames
edhelas
but as I said, more than XHTML, I prefer to strip more of the tags and style, because I don't want my client discussion UI to look ugly
jonasw
Ge0rG, a11y for unicode is a black art on its own
jonasw
edhelas, we agree on burning @style with fire, right?
edhelas
I just agree to stop trying to fix a problem by bringing another one
edhelas
we have XHTML-IM, just bring good practice and fix those clients
jonasw
convince council :-)
jonasw
deep inside I’m still thinking that XHTML-IM can be "fixed" to the extent that developers are well-aware that it is tricky to get right and they’re also given the tools to do it right.
Ge0rG
web developers don't give a shit. They wouldn't be web developers otherwise.
jonasw
that’s a bit harsh
dwd
Ge0rG, I don't think that's true. I'm on a call with one now.
edhelas
Ge0rG thanks, much appreciated <3
jonasw
Ge0rG, I think there are web developers out there who actually want to make a good thing and who actually care. It’s not the majority though.
jonasw
(from what I feel when using web applications)
Ge0rG
edhelas: sorry. That was not intended to insult you. You are doing great work, actually.
Ge0rG
Oh my. They even distinguish AE and BE in the CLDR annotations: "😋" = "face savoring food" = "face savouring food"
jonasw
excellent
Ge0rG
"🥖" = "baguette bread" = "French stick" = "baguette" in English, depending on your locale.
jonasw
en_GB everywhere!
Ge0rG
An i18n a11y nightmare in five Emojis!
Ge0rG
(not that you could conclusively count the number of Emojis in a given UTF8 string)
jonasw
lovely
jonasw
why can’t we have nice things :(
Ge0rG
jonasw: because 🤦🏿🤖💩🤰
jonasw
what
Ge0rG
I wonder if "🤰♂" will be translated into "Arnold Schwarzenegger"
dwdhas left
dwd
I might have persuaded our FE dev to wade in on the XHTML issue.
jonasw
dwd, in which way "wade in"?
lskdjfhas joined
sonnyhas joined
dwd
jonasw, State his opinion. Given that he's a web/js developer first and foremost, it might be a useful perspective.
jonasw
mhm
zinid
edhelas also a web dev ;)
edhelas
damn, you unveiled me
jonasw
cue dramatic fanfare
edhelas
my evil plan of deploying broken XHTML-IM everywhere is falling appart
Ge0rG
world domination through XMPP XSS
Holgerhas left
dwd
zinid, It is possible there is more than just one web dev indeed.
Alexhas left
pep.has joined
zinid
dwd: so we need moar opinions? we don't get enough yet? :)
sonnyhas joined
sonnyhas joined
Guushas left
Guushas joined
stefandxmhas joined
mimi89999has left
dwd
zinid, We don't need opinions, so much as a consensus.
la|r|mahas joined
Guushas left
Guushas joined
tim@boese-ban.dehas joined
Link Mauve
“10:17:01 jonasw> I personally find @style hard to sanitize. You can’t do that with regexes alone.”, indeed, you first have to split on “;” and then to split each value on “:” and then to pick only the elements you want to support from the left part. I would assume there is no language in which this is any difficult, though.
intosihas left
ralphmhas left
ralphmhas joined
intosihas joined
Link Mauve
background-image is explicitly not allowed by XHTML-IM, you wouldn’t allow it.
Ge0rG
Link Mauve: couldn't you still inject function calls into the right part?
la|r|mahas joined
Link Mauve
Ge0rG, none of the allowed properties support any URI or function call, I checked that the other day.
Ge0rG
Link Mauve: does that guarantee that browsers won't execute function calls / URIs when encountered there?
Link Mauve
I’ve found that browsers take security issue seriously, if the specification doesn’t allow such things and a bug is found in a browser, I’d expect it to be fixed very quickly.
Zash: it looks like the only item on the https://xmpp.org/extensions/xep-0038.html#sect-idm139548995353376 list that can't be mapped to Unicode is :jabber:. What an irony.
Kev
💡 doesn't quite cut it, does it?
dwdhas left
Zash
Throw in some zwj stuff and call it a day
dwdhas left
Ge0rG
💡 + Variant Selector 16.
sonnyhas joined
dwdhas left
Alexhas left
Valerianhas joined
Ge0rG
So I've written a poezio plugin that replaces all incoming Emojis with their respective :alias:. And now I see how ugly it looks and that I still need to look on my phone to see if it was an Emoji originally.
dwdhas left
dwdhas left
dwdhas left
dwdhas left
jjrhhas left
dwdhas left
jjrhhas left
dwdhas left
Guushas left
moparisthebest
but markup in <body> is bad, someone said
Zash
Unicode isn't markup
Ge0rG
moparisthebest: yes, and what I wrote underscores that point
Valerianhas left
sonnyhas left
moparisthebest
Ge0rG: I still need to look on my phone to see if it was an Emoji originally
moparisthebest
my question is, why do you care
danielhas left
danielhas joined
sonnyhas joined
Guushas joined
jubalhhas joined
jubalhhas left
Zash
@nickname is markup, right?
Link Mauve
Yeah.
moparisthebest
yep that's bad too, need a fancy UI and protocol established for highlighting someone
Link Mauve
moparisthebest, mentions already got a XEP.
SamWhited
Did it?
SamWhited
Link please!
Ge0rG
moparisthebest: I don't know why I care, but it turned out I do
sonnyhas joined
Link Mauve
I don’t think it was this one I was thinking about: https://xmpp.org/extensions/inbox/jid-mention.html
Link Mauve
Maybe references?
Zash
Heh, Link
sonnyhas joined
Link Mauve
Yes? :p
moparisthebest
Ge0rG, sounds like a personal problem vs a protocol problem :)
sonnyhas left
sonnyhas joined
SamWhited
*snort* I didn't mean to do that.
SamWhited
I'd forgotten about this one, thanks
Zash
Can {xep attention} be directed at a MUC participant?
jid-mention looks like a great way to spam more, that looks like about all it's useful for
sonnyhas joined
waqashas left
sonnyhas joined
sonnyhas joined
Guushas left
jerehas left
jerehas joined
jjrhhas left
SamWhitedhas left
jjrhhas left
Link Mauve
Zash, sadly no.
jjrhhas left
waqashas joined
Guushas joined
Guushas left
Guushas joined
sonnyhas joined
sonnyhas joined
lumihas left
stefandxmhas left
alacerhas joined
goffi
Link Mauve: jid-mention has been vetoed in favor of reference
alacerhas joined
dwdhas left
Link Mauve
Ok.
sonnyhas left
sonnyhas joined
nycohas left
Tobiashas joined
la|r|mahas left
mimi89999has left
ralphmhas left
lovetoxhas left
danielhas left
danielhas joined
Archas joined
lovetoxhas joined
lovetoxhas left
sonnyhas joined
sonnyhas left
sonnyhas joined
ralphmhas left
MattJhas joined
bearhas joined
Bunnehhas joined
intosihas joined
ralphmhas joined
jonaswhas joined
McKaelhas joined
xnyhpshas joined
xnyhpshas joined
SamWhitedhas joined
SamWhitedhas joined
fippohas joined
Zashhas joined
Zashhas joined
Tobiashas joined
mathieuihas joined
tim@boese-ban.dehas joined
tim@boese-ban.dehas joined
tim@boese-ban.dehas joined
SamWhitedhas joined
SamWhited
Just got kicked from mucs on this server when I joined in another client. No idea why.
Steve Killehas left
matlaghas joined
matlaghas joined
matlaghas joined
sonnyhas joined
sonnyhas joined
ralphmhas joined
Steve Killehas joined
Link Mauve
SamWhited, a lot of people just left with “Kicked: remote server not found: Server-to-server connection failed: DNS resolution failed” as their status.
sonnyhas joined
Link Mauve
The same second as yours.
lovetoxhas joined
jubalhhas joined
SamWhited
ah, maybe my joining from another client was a red herring
la|r|mahas joined
Tobiashas joined
sonnyhas left
sonnyhas joined
lovetoxhas left
sonnyhas left
mathieuihas joined
sonnyhas joined
sonnyhas left
sonnyhas joined
sonnyhas joined
sonnyhas joined
lovetoxhas joined
lovetoxhas left
sonnyhas left
sonnyhas joined
lovetoxhas joined
sonnyhas joined
sonnyhas joined
Steve Killehas left
stefandxmhas joined
sonnyhas joined
sonnyhas joined
sonnyhas joined
sonnyhas joined
sonnyhas left
sonnyhas joined
Syndacehas joined
sonnyhas left
sonnyhas joined
sonnyhas joined
sonnyhas joined
sonnyhas joined
sonnyhas joined
sonnyhas left
sonnyhas joined
sonnyhas joined
sonnyhas joined
sonnyhas left
sonnyhas joined
sonnyhas joined
sonnyhas joined
sonnyhas left
sonnyhas joined
sonnyhas left
sonnyhas joined
ralphmhas joined
stefandxmhas left
emxphas joined
ralphmhas left
ralphmhas joined
sonnyhas left
sonnyhas joined
jubalhhas joined
jubalhhas left
valohas joined
Archas left
danielhas left
danielhas joined
jubalhhas joined
lskdjfhas left
dwd
In terms of "marking up" a mention, XEP-0372 is the best thinking we have currently.
lskdjfhas left
lskdjfhas left
efrithas joined
lskdjfhas left
dwdhas left
jubalhhas joined
dwdhas left
sonnyhas left
sonnyhas joined
dwdhas left
dwdhas left
Tobiashas joined
lskdjfhas left
dwdhas left
dwdhas left
dwdhas left
dwdhas left
dwdhas left
lskdjfhas left
dwdhas left
SamWhited
References seems nice, but I wish the bit that reads "TODO: define character appropriately" were expanded. I don't think it could be implemented as-is in an interoperable manner without that bit being expanded.