> Clients should limit the HTML they render to avoid Cross-Site Scripting, HTML injection, and similar attacks. The strongly suggested set of HTML tags to permit, denying the use and rendering of anything else, is: ...
moparisthebest
Yikes, well, nothing could possibly go wrong there right?
moparisthebest
> Not all attributes on those tags should be permitted
SamWhited
There's an open proposal for a replacement (although I think it still uses HTML? I dunno, I haven't really read it): https://github.com/matrix-org/matrix-doc/pull/1767
moparisthebest
It's cool how when that PR is merged all clients will be instantly updated
moparisthebest
Since that was the point of not doing xeps I mean
Zashhas joined
paulhas left
Zashhas left
Zashhas joined
alameyohas left
Zash
moparisthebest: It's HTML embedded in JSON, so it's perfectly safe. Mastodon does it that way too. But XHTML in XML is impossible to secure!!!!kk!!
alameyohas joined
chronosx88has left
chronosx88has joined
neshtaxmpphas left
chronosx88has left
stphas joined
wladmishas joined
govanifyhas left
govanifyhas joined
govanifyhas left
govanifyhas joined
Andrzejhas joined
stpeterhas joined
stpeterhas left
stphas left
wladmishas left
wladmishas joined
Andrzejhas left
debaclehas left
govanifyhas left
govanifyhas joined
archas left
archas joined
govanifyhas left
govanifyhas joined
Andrzejhas joined
murabitohas left
murabitohas joined
Andrzejhas left
Andrzejhas joined
wladmishas left
fuanahas joined
Andrzejhas left
Andrzejhas joined
stpeterhas joined
stpeterhas left
govanifyhas left
govanifyhas joined
Vaulorhas joined
marekhas left
Sevehas joined
marekhas joined
Andrzejhas left
fuanahas left
archas left
archas joined
Andrzejhas joined
wladmishas joined
karoshihas joined
Andrzejhas left
Andrzejhas joined
marekhas left
Adihas left
marekhas joined
Adihas joined
paulhas joined
Andrzejhas left
lorddavidiiihas joined
mukt2has left
govanifyhas left
govanifyhas joined
stpeterhas joined
stpeterhas left
Mikaelahas joined
chronosx88has joined
marekhas left
marekhas joined
wladmishas left
chronosx88has left
chronosx88has joined
mukt2has joined
ti_gj06has joined
govanifyhas left
govanifyhas joined
jcbrandhas joined
mukt2has left
neshtaxmpphas joined
andyhas joined
Andrzejhas joined
marekhas left
marekhas joined
LNJhas joined
mukt2has joined
mukt2has left
mukt2has joined
Andrzejhas left
Andrzejhas joined
antranigvhas left
mukt2has left
karoshihas left
karoshihas joined
Andrzejhas left
mukt2has joined
goffihas joined
Sevehas left
karoshihas left
karoshihas joined
wurstsalathas joined
emushas joined
Andrzejhas joined
karoshihas left
stphas joined
ti_gj06has left
karoshihas joined
stpeterhas joined
stpeterhas left
Tobiashas joined
Danielhas left
Danielhas joined
mukt2has left
ti_gj06has joined
karoshihas left
Danielhas left
Danielhas joined
mukt2has joined
Andrzejhas left
karoshihas joined
stphas left
serge90has joined
ti_gj06has left
andyhas left
andyhas joined
Adihas left
Adihas joined
marekhas left
mimi89999has left
marekhas joined
mimi89999has joined
Sevehas joined
Janhas joined
ti_gj06has joined
antranigvhas joined
Andrzejhas joined
andyhas left
Neustradamushas joined
mukt2has left
karoshihas left
mukt2has joined
karoshihas joined
neshtaxmpphas left
mukt2has left
alameyohas left
karoshihas left
karoshihas joined
stphas joined
debaclehas joined
goffihas left
wladmishas joined
Andrzejhas left
Guushas joined
alameyohas joined
neshtaxmpphas joined
moparisthebesthas left
moparisthebesthas joined
mukt2has joined
deuillhas left
Andrzejhas joined
deuillhas joined
eevvoorhas joined
mathijshas left
mathijshas joined
Guushas left
karoshihas left
mukt2has left
debaclehas left
lorddavidiiihas left
karoshihas joined
Andrzejhas left
goffihas joined
mukt2has joined
peetahhas left
mathijshas left
mathijshas joined
Andrzejhas joined
andyhas joined
karoshihas left
mukt2has left
mdoschhas left
mdoschhas joined
lorddavidiiihas joined
andyhas left
mukt2has joined
karoshihas joined
goffihas left
Andrzejhas left
peetahhas joined
alameyohas left
alameyohas joined
nycohas left
papatutuwawahas joined
Andrzejhas joined
karoshihas left
Neustradamushas left
Neustradamushas joined
tomhas joined
tomhas left
ti_gj06has left
mukt2has left
alameyohas left
alameyohas joined
karoshihas joined
nycohas joined
peetahhas left
stphas left
nycohas left
Andrzejhas left
mukt2has joined
ti_gj06has joined
peetahhas joined
ti_gj06has left
papatutuwawahas left
alameyohas left
nycohas joined
mathijshas left
Andrzejhas joined
mukt2has left
mathijshas joined
chronosx88has left
chronosx88has joined
Andrzejhas left
chronosx88has left
chronosx88has joined
mukt2has joined
goffihas joined
SamWhited
Both are impossible to secure. reusing the layer your client is built in (possibly) internally is just a bad idea period.
alameyohas joined
larmahas left
debaclehas joined
papatutuwawahas joined
mukt2has left
LNJhas left
alameyohas left
LNJhas joined
ti_gj06has joined
Andrzejhas joined
stpeterhas joined
stpeterhas left
peetahhas left
nycohas left
peetahhas joined
mukt2has joined
debaclehas left
deuillhas left
ti_gj06has left
lorddavidiiihas left
mukt2has left
deuillhas joined
papatutuwawahas left
papatutuwawahas joined
chronosx88has left
chronosx88has joined
Andrzejhas left
werdanhas joined
mukt2has joined
Neustradamushas left
nycohas joined
lorddavidiiihas joined
mukt2has left
alacerhas left
Neustradamushas joined
alacerhas joined
werdanhas left
peetahhas left
peetahhas joined
peetahhas left
peetahhas joined
chronosx88has left
chronosx88has joined
papatutuwawahas left
nycohas left
nycohas joined
mukt2has joined
paulhas left
larmahas joined
mukt2has left
Andrzejhas joined
chronosx88has left
chronosx88has joined
mukt2has joined
chronosx88has left
chronosx88has joined
Guushas joined
nycohas left
nycohas joined
mukt2has left
peetahhas left
peetahhas joined
ti_gj06has joined
chronosx88has left
chronosx88has joined
chronosx88has left
chronosx88has joined
Andrzejhas left
lorddavidiiihas left
archas left
archas joined
peetahhas left
chronosx88has left
chronosx88has joined
mukt2has joined
peetahhas joined
lorddavidiiihas joined
Andrzejhas joined
archas left
archas joined
mukt2has left
lskdjfhas joined
ti_gj06has left
Andrzejhas left
fuanahas joined
stpeterhas joined
stpeterhas left
lskdjfhas left
lskdjfhas joined
fuanahas left
lskdjfhas left
lskdjfhas joined
mukt2has joined
Guushas left
lskdjfhas left
lskdjfhas joined
lskdjfhas left
lskdjfhas joined
ti_gj06has joined
mukt2has left
Guushas joined
lskdjfhas left
fuanahas joined
lskdjfhas joined
lskdjfhas left
lskdjfhas joined
Guushas left
fuanahas left
lskdjfhas left
lskdjfhas joined
mukt2has joined
lskdjfhas left
lskdjfhas joined
stpeterhas joined
stpeterhas left
lskdjfhas left
lskdjfhas joined
moparisthebest
Speaking of impossible to secure, add mam and carbons to the list https://monal.im/blog/cve-2020-26547/
Zash
Welcome to the club!
moparisthebest
The list of clients that haven't had that vuln is probably shorter
Zash
That list is probably the list of clients where nobody has looked yet. 🙁
https://wiki.xmpp.org/web/XEP-Remarks/XEP-0313:_Message_Archive_Management looks like
mukt2has left
Zash
IIRC similar issue with rosters have been a thing in the past
Daniel
> The list of clients that haven't had that vuln is probably shorter
Conversations is on that list
lskdjfhas left
lskdjfhas joined
moparisthebest
Possibly alone
Zash
Daniel: 🥇️
Zash
A winrar is you!
lskdjfhas left
lskdjfhas joined
Ge0rG
BTW, I've recently added those lists to the wiki because of the "new" pidgin Carbons code being vulnerable
fuanahas left
Ge0rG
Maybe somebody can add the Monal link?
lskdjfhas left
lskdjfhas joined
jcbrandhas left
Zash
On it
lskdjfhas left
lskdjfhas joined
Zash
Done
Zash
Hope the link title is ok. If not, fix it! 😉
Neustradamushas left
Neustradamushas joined
Ge0rG
👍
lskdjfhas left
lskdjfhas joined
jcbrandhas joined
lskdjfhas left
lskdjfhas joined
fuanahas joined
lskdjfhas left
lskdjfhas joined
fuanahas left
karoshihas left
lskdjfhas left
lskdjfhas joined
Yagizahas left
peetahhas left
lskdjfhas left
lskdjfhas joined
peetahhas joined
peetahhas left
peetahhas joined
LNJhas left
fuanahas joined
lskdjfhas left
lskdjfhas joined
karoshihas joined
Yagizahas joined
Andrzejhas joined
fuanahas left
paulhas joined
LNJhas joined
mukt2has joined
ti_gj06has left
karoshihas left
fuanahas joined
karoshihas joined
LNJhas left
fuanahas left
mukt2has left
LNJhas joined
karoshihas left
LNJhas left
fuanahas joined
serge90has left
lskdjfhas left
jonas’
moparisthebest, since you mentioned it here the other day, pester your XMPP client developer about supporting the color vision deficiency fixes for '392 :)