-
moparisthebest
https://burtrum.org/up/53831ae2-c479-4137-a8c6-d2007b0680df/IMG_20210130_203835.jpg
-
moparisthebest
^ Looks like XMPP isn't the only one with, eh, styling problems cc SamWhited jonas’
-
moparisthebest
Does matrix really use pseudo-xml for markup in it's text?
-
moparisthebest
For context, this is an IRC channel I'm joined to via conversations and biboumi and those people are joined from matrix
-
SamWhited
It's a subset of HTML, not XML
-
SamWhited
https://matrix.org/docs/spec/client_server/unstable#m-room-message-msgtypes
-
moparisthebest
> Clients should limit the HTML they render to avoid Cross-Site Scripting, HTML injection, and similar attacks. The strongly suggested set of HTML tags to permit, denying the use and rendering of anything else, is: ...
-
moparisthebest
Yikes, well, nothing could possibly go wrong there right?
-
moparisthebest
> Not all attributes on those tags should be permitted
-
SamWhited
There's an open proposal for a replacement (although I think it still uses HTML? I dunno, I haven't really read it): https://github.com/matrix-org/matrix-doc/pull/1767
-
moparisthebest
It's cool how when that PR is merged all clients will be instantly updated
-
moparisthebest
Since that was the point of not doing xeps I mean
-
Zash
moparisthebest: It's HTML embedded in JSON, so it's perfectly safe. Mastodon does it that way too. But XHTML in XML is impossible to secure!!!!kk!!
-
SamWhited
Both are impossible to secure. reusing the layer your client is built in (possibly) internally is just a bad idea period.
-
moparisthebest
Speaking of impossible to secure, add mam and carbons to the list https://monal.im/blog/cve-2020-26547/
-
Zash
Welcome to the club!
-
moparisthebest
The list of clients that haven't had that vuln is probably shorter
-
Zash
That list is probably the list of clients where nobody has looked yet. 🙁
-
moparisthebest
Likely
-
Zash
Ge0rG can confirm 🙂
-
moparisthebest
Anyone look at siskin yet
-
Zash
https://wiki.xmpp.org/web/XEP-Remarks/XEP-0280:_Message_Carbons#Client-Side_Processing
-
moparisthebest
Add it to the list! Any similar note for mam?
-
Zash
https://wiki.xmpp.org/web/XEP-Remarks/XEP-0313:_Message_Archive_Management looks like
-
Zash
IIRC similar issue with rosters have been a thing in the past
-
Daniel
> The list of clients that haven't had that vuln is probably shorter Conversations is on that list
-
moparisthebest
Possibly alone
-
Zash
Daniel: 🥇️
-
Zash
A winrar is you!
-
Ge0rG
BTW, I've recently added those lists to the wiki because of the "new" pidgin Carbons code being vulnerable
-
Ge0rG
Maybe somebody can add the Monal link?
-
Zash
On it
-
Zash
Done
-
Zash
Hope the link title is ok. If not, fix it! 😉
-
Ge0rG
👍
-
jonas’
moparisthebest, since you mentioned it here the other day, pester your XMPP client developer about supporting the color vision deficiency fixes for '392 :)
-
flow
https://www.nic.at/media/files/News_and_PR/BachelorArbeit.pdf
-
Zash
DE-crypted?
-
Zash
Ah, nm, some kind of fore-word
-
moparisthebest
on the topic of programatically generated avatars instead of colors from the other day, lol https://social.tchncs.de/@cark/105651953031693352
-
moparisthebest
I don't speak german but the gist seems to be gitea generated a swastika for some users cc jonas’
-
Zash
Praise the sun.
-
Zash
Can't have nice things or rotational symmetry.
-
moparisthebest
1. randomly generated avatars 2. not offending users; pick 1
-
Zash
And whatever you do, don't let the Internet train your AI!