On Saturday, January 31, 2015 03:40:14 PM Cyril Soler wrote:
> The problem is that the GUI uses strings everywhere at many points, and we
> cannot patch/check them all. It's more efficient to catch them as soon as
> they arrive to the local node. The common point where this happens is the
> serialisation.

I believe the real problem is we are using HTML as transport format while we 
are not capable of rendering it safely

We should use a simple syntax for chat messages and similar stuff and use html 
just for rendering.

1) User_a type simple text ( if we really need emoticons we can give support 
to simbols like :| B) and so on, but i do prefer to have them just as plain 
text )
2) RS_a send the message as is (plain text)
3) RS_b receive the plain text message
4) received message is eventually converted to HTML by GUI_b
5) GUI_b renders safe HTML generated at step 4 

The other evil implication of using HTML as transport is that we are forcing 
all possible GUI to be capable of rendering HTML, i have experienced this 
while i developed android GUI, i was forced to use a WebView for the chat and 
this introduced a lot of complications and problems, like inconsistent 
rendering respect to th e Qt gui, vulnerabilities and so on...

I understand in the Web 2.shit era people do expect to put image and stuff like 
that in a chat but i belive this should not be a priority for RS and use HTML 
as transport is not the good way of doing this

Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
Retroshare-devel mailing list

Reply via email to