XSF Discussion - 2021-01-31

  1. moparisthebest

    https://burtrum.org/up/53831ae2-c479-4137-a8c6-d2007b0680df/IMG_20210130_203835.jpg

  2. moparisthebest

    ^ Looks like XMPP isn't the only one with, eh, styling problems cc SamWhited jonas’

  3. moparisthebest

    Does matrix really use pseudo-xml for markup in it's text?

  4. moparisthebest

    For context, this is an IRC channel I'm joined to via conversations and biboumi and those people are joined from matrix

  5. SamWhited

    It's a subset of HTML, not XML

  6. SamWhited

    https://matrix.org/docs/spec/client_server/unstable#m-room-message-msgtypes

  7. moparisthebest

    > Clients should limit the HTML they render to avoid Cross-Site Scripting, HTML injection, and similar attacks. The strongly suggested set of HTML tags to permit, denying the use and rendering of anything else, is: ...

  8. moparisthebest

    Yikes, well, nothing could possibly go wrong there right?

  9. moparisthebest

    > Not all attributes on those tags should be permitted

  10. SamWhited

    There's an open proposal for a replacement (although I think it still uses HTML? I dunno, I haven't really read it): https://github.com/matrix-org/matrix-doc/pull/1767

  11. moparisthebest

    It's cool how when that PR is merged all clients will be instantly updated

  12. moparisthebest

    Since that was the point of not doing xeps I mean

  13. Zash

    moparisthebest: It's HTML embedded in JSON, so it's perfectly safe. Mastodon does it that way too. But XHTML in XML is impossible to secure!!!!kk!!

  14. SamWhited

    Both are impossible to secure. reusing the layer your client is built in (possibly) internally is just a bad idea period.

  15. moparisthebest

    Speaking of impossible to secure, add mam and carbons to the list https://monal.im/blog/cve-2020-26547/

  16. Zash

    Welcome to the club!

  17. moparisthebest

    The list of clients that haven't had that vuln is probably shorter

  18. Zash

    That list is probably the list of clients where nobody has looked yet. 🙁

  19. moparisthebest

    Likely

  20. Zash

    Ge0rG can confirm 🙂

  21. moparisthebest

    Anyone look at siskin yet

  22. Zash

    https://wiki.xmpp.org/web/XEP-Remarks/XEP-0280:_Message_Carbons#Client-Side_Processing

  23. moparisthebest

    Add it to the list! Any similar note for mam?

  24. Zash

    https://wiki.xmpp.org/web/XEP-Remarks/XEP-0313:_Message_Archive_Management looks like

  25. Zash

    IIRC similar issue with rosters have been a thing in the past

  26. Daniel

    > The list of clients that haven't had that vuln is probably shorter Conversations is on that list

  27. moparisthebest

    Possibly alone

  28. Zash

    Daniel: 🥇️

  29. Zash

    A winrar is you!

  30. Ge0rG

    BTW, I've recently added those lists to the wiki because of the "new" pidgin Carbons code being vulnerable

  31. Ge0rG

    Maybe somebody can add the Monal link?

  32. Zash

    On it

  33. Zash

    Done

  34. Zash

    Hope the link title is ok. If not, fix it! 😉

  35. Ge0rG

    👍

  36. jonas’

    moparisthebest, since you mentioned it here the other day, pester your XMPP client developer about supporting the color vision deficiency fixes for '392 :)

  37. flow

    https://www.nic.at/media/files/News_and_PR/BachelorArbeit.pdf

  38. Zash

    DE-crypted?

  39. Zash

    Ah, nm, some kind of fore-word

  40. moparisthebest

    on the topic of programatically generated avatars instead of colors from the other day, lol https://social.tchncs.de/@cark/105651953031693352

  41. moparisthebest

    I don't speak german but the gist seems to be gitea generated a swastika for some users cc jonas’

  42. Zash

    Praise the sun.

  43. Zash

    Can't have nice things or rotational symmetry.

  44. moparisthebest

    1. randomly generated avatars 2. not offending users; pick 1

  45. Zash

    And whatever you do, don't let the Internet train your AI!